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FROM  THE  EDITOR 


I,  User 


A  tale  of  madness,  confusion, 
rage  and  remorse.  With  a 
moral  at  the  end. 


I  have  a  confession  to  make. 

I  am  a  user. 

Yes,  although  I  help  edit  a  business  technology  magazine,  I  myself  am  just  a  simple 
user  of  the  services  IT  provides.  And  like  most  users,  I  am  often  bugged,  bothered, 
bewildered  (and  short-tempered)  about  IT  changes. 

For  instance,  we  recently  migrated  to  a  new  content  management  system,  and  one 
of  its  features  is  the  automation  of  the  print  function.  As  a  result,  I  no  longer  have  to 
do  the  back-breaking  work  of  dragging  “Print”  down  from  the  File  menu  and  clicking 
on  it  manually.  Instead,  our  new 

system  recognizes  that  I  want  to  Because  feelings  of  powerlessness 
print  something  when  I  change  lead  to  feelings  of  rage,  rationality 
its  status  in  the  system.  And  then  simply  doesn't  enter  the  equation. 

it  prints  it.  Or  doesn’t.  And  when 

it  doesn’t,  there’s  nothing  I  can  do  about  it.  It’s  automated,  see?  Meaning  I  have  no 
control  over  it.  And  because  I  have  no  control,  a  signal  goes  off  deep  in  the  reptilian 
part  of  my  brain  that  it’s  time  to  attack  someone.  Someone  in  IS. 

Rationally,  I  know  all  this  is  not  IS’s  fault.  But  because  feelings  of  powerlessness 
lead  to  feelings  of  rage,  rationality  simply  doesn’t  enter  the  equation. 

My  point  is  this:  CIOs  need  to  approach  automation  carefully  because  by  defini¬ 
tion  it  removes  control  from  users.  Therefore,  CIOs  need  to  communicate,  they  need 
to  be  open,  and  they  need  to  market  changes  well.  Check  out  United  States  Tennis 
Association  CIO  Larry  Bonfante’s  column,  “No  Marketing,  No  Sale”  (Page  28)  on  how 
to  do  that  successfully  through  multiple  channels  in  multiple  ways.  Before  somebody 
gets  hurt. 

Of  course,  I  say  that  jokingly.  I’m  completely  harmless.  But  the  world  out  there  is 
anything  but.  In  Senior  Writer  Ben  Worthen’s  cover  story,  “IT  Versus  Terror”  (Page  34), 
Worthen’s  reporting  reveals  that  the  government’s  use  of  data-mining  technology  to 
prevent  terrorism  is  being  compromised  by  an  almost  total  lack  of  project  manage¬ 
ment  or  ROI  analysis.  Amid  the  public  debate  about  the  efficacy  and  morality  of  data 
mining  as  a  strategy  to  combat  terrorism,  this  story  cuts  through  the  FUD  to  provide 
a  deep  understanding  of  the  necessity  for  establishing  a  strong  business  case  for  any 
technology  initiative,  even  when  the  value  of  the  goal  is  beyond  debate. 

Also  in  this  issue  is  Senior  Writer  Susannah  Patton’s  “Disaster!”  (Page  42)  about 
how  one  company  kept  its  business  and  its  lines  of  communication  open  in  the  after- 
math  of  last  summer’s  London  terrorist  bombings.  The  story  lays  out  a  simple,  robust 
crisis  management  strategy  that  any  CIO  can  and  should  deploy. 

Both  articles  are  critical  to  the  CIO’s  understanding  of  the  world  and  IT’s  role  in 
their  businesses,  and  both  emphasize  the  need  for  openness  and  communication  in 
the  conduct  of  the  CIO  job.  Without  that,  people  really  might  get  hurt. 

And  that’s  no  joke. 


David  Rosenbaum,  Managing  Editor 

drosenbaum@cio.com 
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Neutral  on  Neutrality 

The  key  issue  is  structural,  not  political 

When  I  started  to  pen  this  column  on  network 
neutrality— the  notion  that  all  content  on  the  Inter¬ 
net  should  continue  to  be  treated  equally— I  thought 
I  was  on  the  side  of  grassroots  coalitions  like  Save  the 
Internet  and  Hands  off  the  Internet.  These  groups 
believe  that  Internet  traffic  should  not  be  parsed 
based  on  the  traffic’s  source,  content  or  destination, 
and  they  predict  that  the  Internet  will  become  a  pri¬ 
vate  toll  road  unless  Congress  writes  a  strong  defini¬ 
tion  of  network  neutrality  into  the  Communications 
Opportunity,  Promotion  and  Enhancement  Act  of  2006  (COPE),  otherwise  known 
as  HR  5252,  the  proposed  rewrite  of  the  Telecom  Act  of  1996. 

What’s  the  position  of  the  telecom  providers?  They’ve  invested  billions  to  upgrade 
network  infrastructure  in  anticipation  of  more  bandwidth-intensive  apps.  In  order  to 
continue  investing  in  the  health  of  the  Internet,  and  in  order  to  have  it  run  smoothly, 
they  need  to  be  able  to  discriminate  between  high-demand  and  low-demand  traffic. 

The  word  that  sticks  in  the  craw  is  “discriminate,”  and  it  has  sent  millions  of  Inter¬ 
net  users  into  a  frenzy  of  worry  that  a  looser  definition  of  network  neutrality  will  turn 
large  telecom  providers  into  not  only  toll  collectors  but  content  police. 

Think  of  your  own  use  of  the  Internet.  Are  your  digital  photos  and  home  videos 
consuming  more  bandwidth?  Of  course  they  are.  What  about  your  corporate  web¬ 
site?  Are  you  using  streaming  video  yet?  And  what  happens  if  the  “Year  of  Videocon¬ 
ferencing”  actually  becomes  reality?  Bandwidth  demand  skyrockets. 

I’ve  reconsidered.  I’m  now  neutral  on  the  concept  of  network  neutrality.  The  real 
issue— what’s  really  important  to  address— is  how  woefully  behind  the  rest  of  the 
world  the  United  States  is  in  pervasive,  high-speed  broadband  deployment. 

What  our  nation  needs  more  than  HR  5252  is  a  comprehensive,  long-term  national 
telecommunications  infrastructure  policy  that  lays  out  how  our  country  will  build 
that  national  high-speed  broadband  network.  If  we  don’t,  our  nation  will  not  be  able 
to  COPE  with  the  rest  of  world. 
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For  All  Its 
High  Technology, 
Your  Mission-Critical 
Facility  Is  Still  Only  as 
Strong  as  the  Physical 
Infrastructure 
That  Supports  It. 


Infrastructure  for  the  Mission-Critical  Facilities 
You  Simply  Can’t  Afford  to  Lose,  Ever. 


For  your  FREE  Whitepaper, 
A  Practical  Guide 


No  matter  what  Man  or  Mother  Nature  throws  at  you,  your 
mission-critical  systems  can’t  even  blink.  For  today’s  sophisticated 
IT  systems,  a  split-second  failure  wreaks  long-term  conse¬ 
quences.  That’s  why,  for  more  than  23  years,  the  nation's  most 
mission-critical  facilities  have  relied  on  Lee  Technologies. 
Through  early  intervention  and  ongoing  service,  Lee  dramatically 
reduces  the  risk  of  downtime  and  the  costs  of  ownership  for 
mission-critical  facilities. 

Lee  provides  full  lifecycle  data  center  services  and  solutions, 
all  from  a  single  point-of-contact.  We  offer  local  service  with 
national  capabilities,  a  full  line  of  electrical  and  mechanical  prod¬ 
ucts,  superior  technical  expertise,  and  a  National  Operations 
Center  that  monitors  critical  systems,  schedules  maintenance 
and  provides  emergency  service  24/7/365. 

From  design  and  construction  management  to  maintenance, 
staffing  and  monitoring,  we  take  care  of  your  physical  infrastruc¬ 
ture,  so  you  can  confidently  take  care  of  business. 


to  Disaster  Avoidance, 
call  877-654-9662  or  visit 
www.leetechnologies.com/disaster  avoidance 


Lee  Technologies  ~ 

MISSION-CRITICAL 
INFRASTRUCTURE  SOLUTIONS 


877-654-9662 

www.leetechnologies.com 


WASHINGTON,  D.C.  •  ATLANTA  •  LOS  ANGELES  •  NEW  YORK  •  HOUSTON 


All  products  or  company  names  listed  are  Registered  Trademarks  and  Trademarks  of  their  respective  holders. 
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Yea  or  Nay  on  SOA? 

With  all  of  the  coverage  of  SOA,  it  was 
refreshing  to  finally  read  an  article  that 
brought  the  reader  back  to  reality  [“The 
Truth  About  SOA,”  June  IS].  While  the 
benefits  of  such  an  approach  mimic  simi¬ 
lar  ideas  around  object-oriented  pro¬ 
gramming  from  years  gone  by,  discussing 
concepts  and  actually  implementing  them 
are  two  different  things.  Anyone  actually 
doing  SOA  is  doing  it  on  a  small  scale 
only. 

At  this  time,  SOA  is  a  corporate  architec¬ 
ture  sponsored  initiative.  Unfortunately, 
tacticians  responsible  for  implementing 
projects  have  a  different  problem.  SOA 
will  be  implemented  as  small  projects  over 
time.  The  challenge  will  be  if  IT  groups  can 
be  organized  in  a  way  to  leverage  and  grow 
SOA  at  the  same  time. 

BILL  KIRBY 

Teradata 


Most  of  the  time,  IT  trade  pub¬ 
lications  latch  on  to  The  Next  Big 
Thing  as  the  save-all,  be-all  for 
every  organization  on  the  planet. 
I  have  had  it  up  to  here  with  SOA 
articles  this  past  year.  Thank  you 
for  an  article  that,  for  once,  gives 
a  realistic  picture  of  the  true 
nature  of  technology  adoption 
and  the  few  companies  that  use 
it  well. 

JONERICSON 

Roland  Corp. 

SOA  is  about  decoupling  the 
code  that  does  the  work  from 
the  application  that  needs 
the  work  done.  It  makes 
good  business  sense.  If  an 
application  needs  to  get 
something  done,  why  not  break 
it  up  and  have  a  service  do  the  work?  The 
application  can  call  the  service.  It’s  slightly 
more  work  at  development  time,  but  if  you 
ever  need  to  do  that  same  work  anywhere 
else  in  the  organization,  you  simply  reuse 
the  service.  It  eliminates  code  redundancy 
and  opens  the  door  to  more  interconnected 
systems.  For  example,  we  are  using  ser¬ 
vices  for  authentication,  authorization  and 
auditing.  A  new  application  can  use  these 
proven  services  at  almost  no  incremen¬ 
tal  cost.  Development  cost  for  all  future 
development  and  integration  efforts  will 
be  reduced. 

It’s  all  about  using  technology  to 
improve  the  business.  Every  new  applica¬ 
tion  or  feature  leads  to  the  inevitable  next 
step.  Once  you  have  a  new  functionality, 
why  not  have  another  system,  vendor  or 
customer  interact  with  that  functionality? 
SOA  enables  the  next  logical  step  to  hap¬ 
pen  faster  and  cheaper. 

PETER  PIOTTI 

Eclipsys  Corp. 


Aim  Higherfor  Alignment 

How  unfortunate  that  small  and  mid¬ 
market  companies  believe  IT  organiza¬ 
tions  are  best  only  at  supporting  tactical 
efforts  [“Room  to  Improve  IT’s  Moves,” 
June  15].  Business  and  IT  leaders  need  to 
aim  higher.  It  is  possible  to  pursue  not  only 
tactical  but  strategic  and  innovative  busi- 
ness-IT  alignment.  But  IT  can’t  innovate 
for  the  business  in  a  vacuum,  nor  can  the 
business  effectively  leverage  technology 
without  involvement  from  IT.  Set  higher 
expectations  for  IT  and  pursue  those 
higher  expectations  through  an  alignment 
model  that  enables  continual  communica¬ 
tion,  education  and  collaboration. 

JOHN  HUGHES 

President,  GrowthWave 

In  Defense  of  Federal  IT 

In  the  May  15  issue  of  CIO,  an  other¬ 
wise  thoughtful  article  about  federal 
IT  issues  [“Federal  IT  Flunks  Out”] 
was  marred  by  a  misleading,  inaccu¬ 
rate  characterization  of  a  single,  off- 
the-cuff  remark  at  the  retirement  party 
of  my  predecessor,  Dan  Matthews,  the 
then-outgoing  CIO  for  the  Department 
of  Transportation.  The  reality  at  the 
department  is  that  the  CIO  position 
reports  to  the  secretary  and  has  signifi¬ 
cant  policy  and  operational  responsibili¬ 
ties  for  IT  across  the  entire  department. 
Matthews,  during  his  tenure,  became 
the  trusted  technology  adviser  within 
the  office  of  the  secretary. 

This  meant  that  Matthews  was  called 
on  to  provide  advice  on  how  to  maximize 
the  success  of  the  department’s  missions 
through  the  use  of  technology,  and  yes,  he 
sometimes  volunteered  to  personally  get 
involved  when  the  help  desk  was  asked  to 
solve  problems  dealing  with  phones.  Per¬ 
haps  the  author  was  unaware  that  the  CIO 


10  AUGUST  1,  2006  |  www.cio.com 


g  *  ~  *-ir  rf-M- 


Jo3J>Oeni£v}*X!lSn**> 

atm tMi&at  cjvei 
W»b(  «««!<? 


T 


at  the  department  is  not  only  responsible 
for  computer  support  but  also  communica¬ 
tions,  which  includes  telephony  technol¬ 
ogy  issues. 

I  have  found  John  Flaherty  (the  secre¬ 
tary’s  chief  of  staff  whose  remarks  were 
unfairly  described),  Secretary  Norman 
Mineta  and  other  senior  department  offi¬ 
cials  to  be  strongly  supportive  of  ensuring 
the  ability  of  the  departmental  CIO  to  have 
broad  policy  impact  and  control.  I  would 
not  have  been  willing  to  serve  in  the  posi¬ 
tion  if  I  thought  otherwise;  I  doubt  that  Mr. 
Matthews  would  have  either. 

DANIEL  MINTZ 

CIO 

Office  of  the  Secretary 
Department  of  Transportation 
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The  Best  Medicine... 

I  loved  your  Editor’s  Letter  “What’s  So 
Funny?”  [May  15].  What  you  had  to  say 
can  make  the  difference  between  a  success¬ 
ful,  long-term  employee  relationship  and 
a  failing,  short-term,  loss-of-investment 
employee  relationship. 

I  am  a  huge  fan  of  Gracie  Allen  humor.  I 


love  the  obvious  and  literal  f 
humor  in  our  daily  activi¬ 
ties.  I  laugh  and  smile  most  m . — 

of  the  time  because  life  itself 
can  be  so  funny!  I  make  it  my  mission  to  do 
two  things  each  day:  First,  find  someone 
who  is  struggling  and  give  him  encourage¬ 
ment  and  something  to  laugh  at,  sometimes 
himself;  and  second,  when  I  hear  something 
negative,  make  sure  when  I  leave  the  tone  is 
positive— and  humor  is  key  to  doing  this.  I 
may  be  quirky  but  I  can  write  a  “sung  to  the 
tune  of”  in  minutes,  and  I  send  them  off  as 
stress  relief  to  coworkers. 

We  are  all  confronted  with  staff  we  can’t 
seem  to  get  along  with,  bad  days,  mistakes, 
boredom  and  lack  of  opportunity,  man¬ 
agement  included.  We  all  need 
humor  as  daily  medicine.  Adding 
it  to  training  is  a  start— possibly 
a  must!  Very  refreshing  article,  I 
was  cheered  up  just  reading  it. 

KEVIN  C.  STEVENS 

Home  National  Bank 
kstevens@homenationat.com 


Infusing  fun  into  the  work¬ 
place  is  an  important  facet  that 
leaders  can  encourage  within 
the  group  to  build  camaraderie 
and  stimulate  imagination.  We 
poke  fun  at  ourselves  and  each 
other  during  staff  meetings  and 
via  e-mail,  sharing  war  stories, 
past  mistakes  and  group  out¬ 
ings.  I  always  say  that  people 
with  self-effacing  humor  are  per¬ 
ceived  as  secure,  confident  and  likeable.  We 
need  to  show  that  it  is  OK  to  have  fun! 


DAVID  MICKELSON 

Loomis  Sayles&Co., 


L.P. 


A  few  years  ago  at  my  company,  I  really 
needed  a  way  to  ease  the  stress  of  our  fast- 
paced,  rigorous  environment,  raise  morale 


and  in  general  just  have 
some  “business  fun”— and, 
of  course,  do  it  cheaply. 

And  so  “ugly  shirt  day” 
was  born.  One  Friday  per  month,  consul¬ 
tants  were  encouraged  to  wear  their  ugli¬ 
est  (but  legal!)  shirts  to  work.  It  started  off 
slowly,  but  gradually  grew  with  more  and 
more  participants  voluntarily  suffering  the 
teases  and  jibes  of  their  coworkers.  After  a 
few  months,  half  the  employees  were  par¬ 
ticipating,  wearing  dashikis  from  the  ’60s, 
polyester  from  the  ’70s,  tie-dye  from  when¬ 
ever,  animal  prints,  psychedelics,  Hawaiian 
shirts,  you  name  it.  So  many  people  joined 
the  fun  that  we  created  the  “Trophy  of  Bad 
Taste,”  and  competition  spread  with  teams 
of  people  vying  for  the  coveted  award. 

After  many  more  months,  ugly  shirt  day 
evolved  to  theme  day,  with  the  entire  ser¬ 
vice  organization  decorating  their  team’s 
row  once  a  month:  Hawaiian  day,  baseball 
day,  American  day,  cheerleader  day  (it’s 
amazing  how  many  guys  will  dress  as 
cheerleaders  for  a  laugh)  and  many  other 
themes.  Eventually,  people  started  bring¬ 
ing  theme-based  food.  And  it  was  all  free. 

The  result  of  all  this?  The  highest  associ¬ 
ate  satisfaction  scores  we  ever  received  and 
the  highest  associate  retention  rate— which 
meant  we  kept  more  talented  people,  and 
that  drove  our  client  satisfaction  scores 
to  their  highest-to-date  levels  (along  with 
client  retention).  We  all  won,  and  I’d  do  it 
again  in  a  heartbeat. 

JONATHAN  NORD-CRANE 

Vice  President 

ADP  National  Accounts  Services 


What  Do  You  Think? 


Send  your  thoughts  and  feedback  to  letters@ 
cio.com.  Letters  may  be  edited  for  length  or 
clarity.  For  a  link  to  the  articles  mentioned,  go 

to  www.cio.com/archive 

cio.com 


www.cio.com  |  AUGUST  1  ,  2006  11 


BOARD  OF  ADVISERS  '06 


CIO  wishes  to  acknowledge  the  2006  Editorial  Advisory  Board  members  for  their  ongoing 
guidance  and  reality  check  of  the  magazine’s  content  and  focus.  We  thank  them  for  their 
generosity  in  sharing  their  insight  into  the  world  of  IT  leadership. 


GREGOR  BAILAR 

PAUL  J.  GAFFNEY 

REBECCA  R.  RHOADS 

CIO 

EVP,  Supply  Chain 

CIO 

Capital  One 

Staples 

Raytheon 

Falls  Church,  Va. 

Framingham,  Mass. 

Lexington,  Mass. 

DOUG  BARKER 

ANDY  GEISSE 

LARAINE  RODGERS 

CEO 

CIO 

President 

Barker  and  Scott  Consulting 

AT&T 

Navigating  Transitions 

Washington,  D.C. 

San  Antonio 

Tucson,  Ariz. 

WAYNE  D.  BENNETT 

JOHN  GLASER 

JAMES  F.  SUTTER 

Partner 

VP  &  CIO 

Senior  Partner 

Bennett  Law 

Partners  Healthcare 

The  Peer  Consulting  Group 

Wellesley,  MA 

Boston 

Newport  Beach,  Calif. 

LARRY  BONFANTE 

SCOTT  HEINTZEMAN 

RICHARD  W.  SWANBORG  JR. 

CIO 

CIO 

President 

United  States  Tennis  Association 

Carlson  Marketing  Group 

ICEX 

White  Plains,  N.Y. 

Plymouth,  Minn. 

Boston 

SHEILA  DONAHOE 

C.  LEE  JONES 

PATRICIA  WALLINGTON 

CIO 

Chairman,  President 

President 

Bluegreen 

&CEO 

CIO  Associates 

Boca  Raton,  Fla. 

Essential  Group 

University  Park,  Fla. 

MICHAEL  EARL 

Professor  of  Information 

Gurnee,  Ill. 

SUSAN  S.  KOZIK 

ROBERT  P.  WEIR 

VP,  Information  Services 

Management,  Dean  of 

EVP  &  CTO 

Northeastern  University 

Templeton  College 

TIAA-CREF 

Boston 

Oxford  University 

Oxford,  England 

New  York  City 

BUD  MATHAISEL 

Corporate  VP  &  CIO 

Solectron 

Milpitas,  Calif. 

SHELEEN  QUISH 

Former  CIO 

U.S.  Can 

Lombard,  Ill. 

STEVE  WILLIAMS 

SVP&CIO 

Mattress  Giant 

Addison,  Texas 

12 


AUGUST  1,  2006  |  www.cio.com 


Gigabit  to  the  edge 
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of  power  and  performance 


The  incredible  speed  of  Gigabit  is  now  available  at  an  affordable  price. 
What’s  more,  this  comes  from  a  trusted  company  whose  dedication  to 
quality  and  reliability  allows  us  to  offer  the  industry’s  leading  lifetime 
warranty  With  ProCurve’s  comprehensive  series  of  Gigabit  switches, 
businesses  can  now  confidently  and  cost-effectively  adopt  Gigabit 
right  across  the  network. 

View  the  HP  ProCurve  Gigabit  to  the  Edge  white  paper  at 
www.hp.com/go/procurvegig3  or  call  (800)  975-7684  Ref.  Code  gig3. 
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WHERE  DO  7  OF  THE  TOP  10  FORTUNE®  100 
TURN  FOR  THEIR  I.T.  NEEDS? 

TO  THE  BIGGEST  I.T.  COMPANY  YOU'VE  PROBABLY  NEVER  HEARD  OF... 


Presenting  Tata  Consultancy  Services,  TCS,  the  creator  of  the  Network  Delivery  Model  for 
software  development.  For  over  35  years  TCS  has  been  the  provider  of  choice  for 
hundreds  of  customers  around  the  globe,  including  seven  of  the  top  ten  FORTUNE®  100 
companies.  TCS,  with  revenues  of  $2.97  billion  in  FY  2005/06,  serves  its  customers  with 
over  63,000  expert  associates  from  53  countries  around  the  globe,  including  10,000 
employees  in  50  locations  throughout  the  U.S. 

! 

It’s  time  you  got  to  know  the  biggest  I.T.  company  you’ve  probably  never  heard  of.  For  a 
more  compiete  introduction,  email  marketing@usa-tcs.com  or  visit  us  online  at 
www.tcs.com. 
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Business  Policies 
PutonTrial 
Along  with  Hackers 

security  What  do  you  do  when  you  suspect  that  an 
employee  you  have  entrusted  to  keep  your  network  running 
has  sabotaged  it  for  revenge  or  financial  gain? 

Brokerage  UBS  is  the  latest  company  to  find  itself  in 
the  spotlight  as  a  result  of  that  dilemma.  In  June,  former 
UBS  systems  administrator  Roger  Duronio  went  on  trial 
in  Newark,  N.J.,  for  allegedly  infecting  UBS’s  network  with 
malicious  code  that  cost  the  company  millions  of  dollars. 

(A  verdict  on  federal  charges  of  securities  fraud,  computer 
sabotage  and  mail  fraud  was  pending  at  press  time.) 

During  the  trial,  prosecutors  painted  Duronio  as  hav¬ 
ing  been  so  irate  about  his  less-than-desired  bonus  that  he 
developed  malicious  code  in  order  to  cause  a  major  disrup¬ 
tion  on  UBS’s  network.  Lawyers  defending  Duronio,  who 
pled  not  guilty,  claimed  that  vulnerabilities  in  UBS’s  secu¬ 
rity  procedures  and  systems  left  the  network  open  to  attack. 

Prosecutors  alleged  that  after  Duronio  created  the  code  in 
late  2001,  he  quit  his  job  and  banked  thousands  of  dollars  in 
put  options  on  UBS,  from  which  he  Continued  on  Page  16 


We  Want  Our  Phones  to  Be  Stylish  (and  Free  Is  Good  Too) 


telecommunications  Style  and  price  are  the  two 
biggest  reasons  why  consumers  choose  a  particular  mobile  phone, 
according  to  a  survey  by  J.D.  Power  and  Associates. 

Thirty-nine  percent  of  the  18,740  users  surveyed  mentioned 
design  as  a  buying  factor,  making  it  the  single  most  popular  answer, 
according  to  Kirk  Parsons,  an  analyst  with  J.D.  Power.  Getting  some¬ 
thing  for  nothing  was  the  most-cited  cost  factor:  29  percent  said  they 
chose  their  phone  because  it  was  free. 

Few  respondents  said  they  chose  their  current  phone  because  it 
had  a  particular  feature,  such  as  a  color  screen,  a  digital  camera  or 


speakerphone. 

U.S.  consumers  have  been  slower  than  those  in  many 
European  and  Asian  countries  to  embrace  advanced  mobile 
services  and  the  feature-rich  phones  that  support  them.  However, 
consumers’  use  of  advanced  features  is  gradually  growing. 

Use  of  the  most  popular  special  feature,  speakerphone,  rose  from 
22  percent  of  respondents  last  year  to  26  percent  this  year.  Also 
in  the  latest  survey,  19  percent  said  they  use  a  camera  phone 
regularly,  up  from  14  percent  previously. 

-Stephen  Lawson 
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data  Future  retirees  may  not  have  to  file  paperwork  to  get  their  Social 
Security  checks,  thanks  to  a  government  plan  to  convert  old  data  into 
electronic  form. 

The  U.S.  Social  Security  Administration  is  looking  into  technology  that 
would  enable  it  to  digitize  massive  amounts  of  data,  says  Kimberlee  Mitchel, 
senior  technical  adviser  for  the  agency.  Millions  of  old  records  are  stored  in 
paper  form;  the  move  to  electronic  form  will  allow  the  agency  to  better  track 
the  eligibility  of  U.S.  citizens  for  Social  Security  retirement  benefits,  Mitchel 
said  at  the  Gartner  Government  Conference  2006  in  June. 

“We  envision  a  future  where  we  gather  data  almost  transparently,”  she 
said.  "When  you’re  eligible  for  Social  Security,  the  check  shows  up  in  your 
checking  account." 

The  government’s  intelligence  agencies  also  are  looking  heavily  into 
technology  that  can  quickly  convert  typewritten  and  even  handwritten  text 
(for  example,  notes  handwritten  in  Arabic)  into  electronic  data,  said  another 
panelist,  Greg  Pepus,  senior  director  of  federal  outreach  at  In-Q-Tel,  a 
venture  capital  firm  funded  by  U.S.  agencies  such  as  the  CIA.  "The  problem 
is  the  vast  majority  of  data  in  the  world  isn’t  in  databases,”  Pepus  observes. 
In  addition,  In-Q-Tel  is  looking  for  better  technologies  that  allow  searches 
across  multiple  databases  in  one  interface,  he  says.  The  goal  is  to  enable 
targeted  searches  that  allow  intelligence  analysts  to  spend  less  time  looking 
for  data  and  more  time  analyzing  it.  -Grant  Gross 


Business  Processes 
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Enabling  business  processes  - 

Improved  IT  performance  - 

Business  innovation - 

Cost  reduction  - 

Numbers  total  more  than  100%  due  to  rounding. 
SOURCE:  CIO  Tech  Poll,  June  2006 


Continued  from  Page  15 


would  have  profited  if  the  company’s  stock 
price  declined  as  a  result  of  the  attack  that 
was  set  to  launch  on  March  4, 2002. 

The  damage  caused  by  the  malicious  code 
impaired  trading  at  the  firm  that  day,  ham¬ 
pering  more  than  1,000  servers  and  17,000 
workstations,  and  cost  UBS  about  $3  million 
to  assess  and  repair. 

Such  cases  are  becoming  increasingly 
common,  according  to  Kristen  Mathews, 
an  attorney  with  Brown  Raysman  Millstein 
Felder  and  Steiner  in  New  York. 

While  laws  are  maturing  to  handle  these 
types  of  suits,  she  says,  businesses  still  face 
challenges  gathering  evidence  to  support 
their  cases.  Another  obstacle  to  litigation  is 
that  many  companies  are  reluctant  to  enter 
into  public  lawsuits  that  may  attract  negative 
media  attention.  Before  the  trial  began,  UBS 
petitioned  the  court  unsuccessfully  to  close 
the  proceedings. 

“It’s  common  for  a  company  to  have  to 
defend  its  own  security  policies  and  proce¬ 
dures  at  the  same  time  they’re  prosecuting 
against  a  person  who  managed  to  get  by  those 
policies  and  procedures,”  Mathews  says. 

So,  how  can  a  company  defend  against 
insider  attacks?  To  begin,  companies  should 
make  an  effort  to  protect  themselves  against 
insiders  as  well  as  external  attacks,  says  Erik 
Hart,  VP  and  information  security  officer  for 
Cole  Taylor  Bank.  “At  many  businesses,  things 
put  in  place  to  protect  from  Internet  attacks 
haven’t  been  applied  to  internal  threats,”  he 
says.  And  insiders  have  more  targets,  such  as 
payroll  applications. 

At  Cole  Taylor,  Hart  is  employing  security 
information  and  event  management  tools 
from  Network  Intelligence  to  help  defend 
against  internal  threats,  including  monitor¬ 
ing  systems  that  IT  administrators  can’t 
access.  But  Hart  notes  that  the  best  preven¬ 
tion  is  to  understand  how  information  flows 
in  your  business  and  to  continually  monitor 
that  flow.  “You  have  to  be  proactive  about 
monitoring  the  network  on  a  daily  basis,” 
Hart  says. 

-Shelley  Solheim 
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Vista: 

Empower  Workers,  minimize  Risk  and  Cost 

Delivering  business  value  to  the  enterprise  can  be  daunting, 
but  meeting  the  challenge  promises  to  pay  dividends  to  the 
businesses  that  align  their  IT  to  empower  their  people.  IT 
organizations  are  under  pressure  to  reduce  costs,  keep  sys¬ 
tems  up  and  running,  and  fend  off  security  threats.  In  a  world  where 
corporate  governance  is  increasingly  regulated,  the  demands  of  com¬ 
pliance  are  unforgiving  and  absolute.  And  at  a  time  when  global  com¬ 
petition  is  stronger  than  ever,  quality  is  still  king. 


Windows  Vista™  was  designed  to  help  customers 
create  a  People-Ready  business.  A  People-Ready 
business  knows  that  people  are  its  most  important 
asset,  and  it  empowers  its  people  to  drive  the  busi¬ 
ness  forward.  When  individuals  realize  their  poten¬ 
tial,  your  company  realizes  its  potential.  Microsoft 
Windows  Vista  does  this  by  reducing  costs,  mini¬ 
mizing  security  threats  and  empowering  desktop 
users.  In  recognition  of  today’s  dispersed  business 
strategies,  it  enables  a  better  connected,  more  col¬ 
laborative  and  highly  secure  mobile  workforce.  By 
optimizing  the  desktop  infrastructure  and  opening 
new  doors  to  creativity,  it  also  helps  users  organize 
and  manage  their  information  better.  This  means 
they  work  smarter,  not  harder. 

Through  its  enhanced  functionality,  Windows 
Vista  Enterprise — as  well  as  other  Windows  Vista 
versions  for  home  and  business — is  meeting  the 
challenges  and  maximizing  the  opportunities  of 


Microsoft 


Custom  Publishing 
Advertising  Supplement 


delivering  business  value.  In  addition  to  including 
all  the  features  of  Windows  Vista  Business,  it  offers 
advanced  capabilities  that  reduce  IT  costs  and  com¬ 
plexity  in  large  organizations.  Its  focus  on  data  pro¬ 
tection,  application  compatibility  and  worldwide 
deployment  make  it  highly  compatible  with  enter¬ 
prise  environments. 
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Reducing  the  complexity  of  desktop  infrastructures  is 
a  rising  priority  among  organizations  of  all  sizes  seeking 
to  streamline  their  day-to-day  IT  operations.  Toward 
that  end,  Windows  Vista  Enterprise — which  is  available 
to  all  Microsoft®  Software  Assurance  and  Microsoft 
Enterprise  Agreement  customers — is  designed  specifi¬ 
cally  to  help  realize  a  better  return  on  IT  investments. 

It  does  this  in  many  ways:  Data  on  PCs  is  better  pro¬ 
tected,  even  if  the  PC  is  lost  or  stolen.  Application  com¬ 
patibility  issues  with  previous  Windows®  versions  and 
with  UNIX  are  mitigated,  easing  migration  costs,  and 
the  integration  of  all  Windows  user  interface  languages 
enables  a  single  worldwide  image,  dramatically  lower¬ 
ing  desktop  deployment  costs. 

There  are  four  pillars  that  make  Windows  Vista 
Enterprise  a  robust  business  operating  system  that 
large  businesses  can  rely  on  for  extended  IT  computing 
environments: 

■  Find  and  Use  Information 

■  Enable  the  Mobile  Workforce 

■  Improve  Security  and  Compliance 

■  Optimize  the  Desktop  Infrastructure 

Says  Brad  Brooks,  director  of  Windows  Client  con¬ 
sumer  marketing:  “Windows  Vista  Enterprise  is  about 
being  more  agile  and  productive,  whether  it  is  in  corpo¬ 
rate  headquarters  or  on  the  road.  It  is  also  about  know¬ 
ing  your  data  is  available — and  more  secure — whenever 
you  want  it.  On  top  of  everything  else,  it  is  the  lowest- 
cost  operating  system  ever  produced  for  a  PC.” 

Find  and  Use  Information 

The  success  of  a  business  depends  on  the  success  of  its 
people.  Making  employees  more  productive  and  facilitat¬ 
ing  communication  are  the  main  reasons  companies 
invest  in  information  technology.  Yet  even  with  the  tools 
available  today,  it’s  still  difficult  for  employees  to  quickly 
find  the  information  they  need  and  to  maximize  the 
power  of  their  PC.  Windows  Vista  is  designed  as  a 
People-Ready  solution  so  they  can  easily  find,  share  and 
use  information. 

First  and  foremost,  Windows  Vista  provides  employ¬ 
ees  with  a  high-performing,  reliable  PC  that  is  ready 
when  they  are.  Technologies  like  SuperFetch™  can 
increase  the  performance  of  the  computer  by  enabling 
applications  and  files  to  load  much  faster. 

IDC  estimates  that  companies  may  face  between 
$9,000  and  $14,000  in  lost  productivity  per  knowledge 
worker  per  year,  as  people  try  to  find  or  re-create  mis¬ 


placed  information.  The  fast,  integrated  desktop  search 
in  Windows  Vista  makes  it  easy  for  users  to  maximize  the 
information  stored  on  their  computers  and  across  the 
enterprise.  Unlike  add-on  desktop  search  products  that 
require  users  to  go  into  a  separate  tool  to  search  data, 
with  Windows  Vista  desktop,  search  is  integrated 
throughout  the  operating  system — in  the  start  menu, 
control  panel  and  document  folders — making  it  easy  to 
find  the  answers  they  seek. 

“Recently,  I  talked  with  a  customer  who  said  if  I  could 
save  his  heavy  IT  users  30  minutes  a  week,  he  would  sign 
up  for  Windows  Vista  Enterprise  the  next  day,”  Brooks 
states.  “I  showed  him  how  quickly  he  could  find  informa¬ 
tion  via  the  integrated  search  functionality,  and  how  he 
could  create  virtual  searches  and  save  them  so  they 
could  recapture  information  more  quickly.  When  I  told 
him  about  the  faster  boot-up  time  and  how  quickly  he 
could  move  from  a  cold  start  or  sleep  state  to  full  opera¬ 
tions,  he  realized  that  his  users  could  easily  save  more 
than  30  minutes  per  week.” 

Enable  the  Mobile  Workforce 

Laptop  and  tablet  PC  users  will  get  the  most  immediate 
benefits  from  Windows  Vista.  Research  from  both 
Gartner  and  Forrester  Research  concluded  that  mobile 
computers  can  improve  employee  productivity  and  gen¬ 
erate  a  positive  return  on  their  investments.  Given  their 
benefits,  it  is  no  surprise  that  laptop  sales  are  outpacing 
traditional  desktop  PC  sales. 

However,  support  for  mobile  users  in  the  enterprise 
today  adds  to  the  complexity  of  IT  environments. 
Additionally,  laptops  pose  unique  security  risks.  New 
tools  in  Windows  Vista  can  help  organizations  realize  the 
benefits  of  mobile  computing — along  with  reduced  costs 
and  more  security — enabling  the  mobile  workforce  to  be 
more  productive  and  better  connected. 

To  help  address  the  security  risks  of  mobile  comput¬ 
ing,  Windows  Vista  includes  the  latest  wireless  security 
protocols  so  users  can  connect  to  Wi-Fi  networks  more 
securely.  Network  Access  Protection,  which  is  used  with 
the  Windows  Server™  “Longhorn”  infrastructure,  ensures 
that  computers  are  in  a  more  secure  state  before  they  are 
allowed  to  reconnect  to  the  network,  preventing  them 
from  spreading  a  virus  inside  a  company’s  network 
perimeter. 

BitLocker™  Drive  Encryption  is  a  data  protection  fea¬ 
ture  available  in  Windows  Vista  Enterprise  and  Windows 
Vista  Ultimate  for  client  computers,  and  in  Windows 
Server  Longhorn.  It  provides  full-volume  encryption  and 


2 


ADVERTISING  SUPPLEMENT 


Windows  Vista: 

WHITE  PAPER 


boot  integrity  checking  to  help  ensure  that  the  data  on  a 
company  computer  stays  confidential,  even  if  the  PC  is 
lost,  stolen  or  decommissioned. 

“The  mobile  workforce  is  taking  mission-critical  data 
on  the  road,  and  that  data  needs  to  be  protected,”  Brooks 
says.  “We  have  added  security  protocols  to  accomplish 
that  task.  With  BitLocker  Drive  Encryption,  if  a  PC  is  lost 
or  stolen,  nobody  can  access  its  data  without  the  proper 
encryption  key.  In  addition,  it  is  possible  to  quickly  move 
from  a  computing  environment  to  a  presentation  require¬ 
ment  that  is  not  plagued  by  pop-ups  or  e-mail  flashes.” 

Improve  Security  and  Compliance 

Unfortunately,  in  today’s  digital  world,  computers  are  an 
increasingly  attractive  target  for  criminals  hoping  to  steal 
information  or  to  harm  businesses.  Financial  losses  due 
to  lost  or  unauthorized  access  to  data  are  on  the  rise. 
Sophisticated  social  engineering  attacks  can  trick 
employees  into  revealing  confidential  information.  In 
addition,  new  government  regulations  require  strict 
compliance  with  security  and  data  protection  policies. 

To  help  organizations  conform  with  to  these  policies, 
Windows  Vista  provides  multiple  layers  of  protection. 

Microsoft  developers  are  among  the  earliest  groups  to 
benefits  from  this  enhanced  protection.  Because 
Windows  Vista  is  the  first  desktop  operating  system 
released  since  the  Microsoft  Trustworthy  Computing 
Initiative  began,  Microsoft  developers  now  receive  ongo¬ 
ing  security  training,  and  Microsoft  hires  leading  security 
experts  to  perform  thorough  testing.  The  end  results  are 
a  fundamentally  more  secure  platform  that  is  harder  to 
exploit,  and  a  reduced  need  for  security  updates. 

In  order  to  maintain  a  more  secure,  compliant  envi¬ 
ronment,  it  is  important  to  identify  who  is  attempting  to 
use  the  computer,  and  then  to  control  what  resources 
they  can  access.  Windows  Vista  makes  identification  and 
control  much  easier  by  having  built-in  support  for  strong 
user  authentication.  Additionally,  the  presence  of  granu¬ 
lar  event  logging,  auditing  and  tracking  for  security  make 
it  easier  for  companies  to  achieve  compliance  with  both 
internal  policies  and  government  regulations. 

To  control  access,  companies  face  a  difficult  trade-off: 
Do  they  give  users  full  administrator  permission  and 
accept  the  security  and  compliance  risks?  Or  do  they 
limit  the  privileges  of  users  and  face  lower  application 
compatibility  and  user  productivity?  Windows  Vista  User 
Account  Control  helps  make  the  choice  easy  by  giving 
users  the  power  to  do  more  things  on  their  own,  with 
higher  application  compatibility  than  previous  versions 


of  Windows,  while  reducing  the  attack  surface  area  of  the 
company’s  PCs. 

Says  Brooks:  “The  user  account  controls  in  Windows 
Vista  Enterprise  are  robust  enough  to  prevent  malicious 
software  from  installing  itself  in  the  background.  By  having 
these  user  account  controls,  we  have  created  a  much  more 
secure  environment.  We  have  also  strengthened  Internet 
Explorer®  7,  so  that  when  it  runs  in  protective  mode,  it  will 
reject  unwanted  applications  and  minimize  the  risk  of 
users  inadvertently  installing  malicious  software.” 

Optimize  the  Desktop  Infrastructure 

Managing  desktop  images  is  expensive  today  because  IT 
departments  have  to  maintain  and  test  separate  OS 
images  for  each  language  and  computer  hardware  type 
in  their  companies.  Some  firms  may  have  as  many  as 
one  full-time  IT  professional  to  support  each  image.  For 
example,  Gartner  estimates  that  annual  IT  labor  costs 
range  from  $250  to  $800  per  PC,  depending  on  a  compa¬ 
ny’s  level  of  IT  maturity. 

With  the  Windows  Vista  new  imaging  technology, 
organizations  can  deploy  a  single  OS  image  to  different 
types  of  computer  hardware  and  machines  in 
different  languages.  The  new  deployment  tools  not  only 
ease  the  migration  to  Windows  Vista,  but  also  provide 
ongoing  savings  of  up  to  25  percent  because  the  new 
images  are  easier  to  maintain,  update  and  deploy  to  new 
users. 

To  facilitate  the  initial  Windows  Vista  migration, 
Microsoft  is  providing  the  Application  Compatibility 
Toolkit  (ACT)  version  5.0.  The  early  availability  of  this 
tool,  as  well  as  the  online  community  Microsoft  is  build¬ 
ing  for  customers,  partners  and  vendors  to  share  their 
testing  results,  will  significantly  ease  application  com¬ 
patibility  testing  for  enterprise  customers.  This  leads  to 
diminished  support  costs. 

Wherever  possible,  Windows  Vista  will  “heal”  itself, 
avoiding  user  interruptions  and  unnecessary  help  desk 
calls.  If  Windows  cannot  fix  the  problem  automatically, 
built-in  diagnostics  log  when  a  system  error  takes  place 
and  can  walk  the  user  through  problem  resolution.  For 
instance,  the  new  Startup  Repair  Tool  can  automatically 
repair  even  unbootable  systems.  If  users  do  need  sup¬ 
port,  Windows  Vista  also  includes  new  tools  such  as  the 
Reliability  and  Performance  Monitor,  improved  Remote 
Assistance,  and  the  new  Event  Viewer,  all  of  which  enable 
helpdesk  staff  to  get  users  up  and  running  more  quickly. 

Brooks  points  to  the  cost-cutting  opportunities  offered 
by  Windows  Vista  Enterprise.  “In  addition  to  saving 


3 


ADVERTISING  SUPPLEMENT 


Windows  Vista: 

WHITE  PAPER 


money  by  deploying  a  single  worldwide  image,  the  opti¬ 
mized  desktop  infrastructure  of  Windows  Vista  Enterprise 
minimizes  costs  by  minimizing  migration  times.  It  further 
employs  desktop  deployment  tools  that  make  it  easy  to 
convert  from  Windows  XP  without  sending  your  IT  staff 
around  to  touch  every  PC  on  every  desktop.” 

Enhanced  Enterprise  Capabilities 

Advanced  Application  Compatibility  Solutions  are  a  crit¬ 
ical  component  of  Windows  Vista.  Among  them  is  Virtual 
PC  Express,  which  provides  a  safety  net  for  operating 
system  migration  by  making  it  possible  to  run  a  legacy 
operating  system  and  legacy  applications  simultaneously 
with  Windows  Vista.  In  effect,  this  enables  users  to  run 
legacy  applications  in  a  virtual  machine.  Tools  that 
increase  interoperability  with  UNIX  applications  are  also 
provided  as  part  of  the  Subsystem  for  UNIX-based 
Applications  (SUA).  This  capability  makes  Windows- 
based  workstations  more  versatile  by  allowing  users  to 
run  UNIX-based  applications  on  a  Windows  Vista 
Enterprise-based  computer. 

The  Multilingual  UI  and  availability  of  all  Worldwide 
Language  Packs  reduce  image  management  and  support 
costs  by  managing  a  single  worldwide  desktop  image 
that  lets  businesses  deploy  desktops  with  any  user  inter¬ 
face  language.  It  also  enables  users  to  switch  between 
languages  as  easily  as  logging  on. 

Microsoft  Software  Assurance  is  a  maintenance  offer 
that  helps  organizations  get  the  most  from  Microsoft 
software  through  a  broad  range  of  benefits.  From  deploy¬ 
ment  planning  and  staff  training  to  product  support  and 
software  upgrades,  Software  Assurance  benefits  help 
customers  increase  worker  productivity,  accelerate  orga¬ 
nizational  performance  and  realize  a  greater  return  on 
their  software  investments. 

Getting  Started 

There  are  already  thousands  of  customers  testing  beta 
versions.  Microsoft  recently  released  Windows  Vista  Beta 
2  and  began  the  Customer  Preview  Program,  a  program 
by  which  customers  get  access  to  Beta  &  RC  bits  and  key 
evaluation  resources.  Millions  more  customers  are 
expected  to  install  and  evaluate  the  operating  system  as 
they  get  ready  for  the  release  of  Windows  Vista. 

There  are  a  number  of  things  that  companies  can  do 
now  so  they  will  be  ready  to  deploy  Windows  Vista  as 
soon  as  possible  after  it  is  released. 

■  Download  the  Windows  Vista  Beta  2  from  MSDN®  or 

TechNet  to  begin  your  evaluation  and  deployment 


planning,  http://www.microsoft.com/windowsvista/ 
getready/preview.mspx 

■  Start  compatibility  testing  using  the  tools  in  the 
Application  Compatibility  Toolkit  (Version  5).  This 
will  help  firms  catch  many  of  the  compatibility  issues 
in  migrating  to  Windows  Vista  and  give  them  a  start  or 
their  testing  processes,  http://www.microsoft.com/tech- 
net/prodtechnol/windows/ 
appcompatibility/default.mspx#EOB 

■  Download  and  use  the  Windows  Vista  Deployment 
Tools  which  make  it  possible  to  see  easier  ways  to  cap¬ 
ture,  manage,  and  deploy  Windows  Vista  images. 
http://www.microsoft.com/technet/windowsvista/deploy/ 
default.mspx 

■  Particpate  with  their  account  teams  in  a  Rapid 
Economic  Justification  study  so  they  can  measure  the 
value  that  Windows  Vista  will  bring  to  their  businesses 

http://www.microsoft.com/business/enterprise/value.mspx 

■  Provide  feedback  to  Microsoft  about  how  Windows 
Vista  meets  the  needs  of  their  organizations. 
http://www.microsoft.com/windowsvista/sentiments/ 
default.mspx 

Conclusion 

Windows  Vista  Enterprise  is  designed  to  help  large, 
global  organizations  and  organizations  with  highly 
complex  IT  infrastructures  significantly  lower  IT  costs 
and  risks.  In  addition  to  all  the  features  available  in 
Windows  Vista  Business,  Windows  Vista  Enterprise  pro¬ 
vides  higher  levels  of  data  protection  using  hardware- 
based  encryption  technology.  It  includes  tools  to  miti¬ 
gate  application  compatibility  issues  and  enables 
organizations  to  standardize  by  using  a  single  world¬ 
wide  deployment  image.  Available  as  a  benefit  to  organ 
izations  with  PCs  covered  by  Microsoft  Software 
Assurance  or  a  Microsoft  Enterprise  Agreement, 
Windows  Vista  Enterprise  is  a  People-Ready  operating 
system  that  optimizes  the  performance  and  productivi¬ 
ty  of  users  while  helping  organizations  realize  a  higher 
return  on  their  IT  investments. 

“Windows  Vista  Enterprise  was  designed  as  a 
People-Ready  operating  system  from  the  ground  up  to 
accommodate  how  people  use  the  PC  on  an  everyday 
basis,”  Brooks  says.  “It  creates  a  more  agile,  customer- 
responsive  organization  that  increases  power  and  pro¬ 
ductivity  while  reducing  the  cost  of  ownership.”  ■ 

©  2006  Microsoft  Corporation.  All  rights  reserved.  Microsoft,  Active  Directory,  BitLocker, 
SuperFetch,  Windows,  Windows  Vista  and  WinFX  are  either  registered  trademarks  or  trademarl 
of  Microsoft  Corporation  in  the  United  States  and/or  other  countries.  The  names  of  actual  com 
panies  and  products  mentioned  herein  may  be  the  trademarks  of  their  respective  owners. 
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Creatures 

of  a  Virtual 
World 


computer  simulation  Research¬ 
ers  studying  artificial  intelligence  are  creat¬ 
ing  millions  of  simulated  humans  in  order  to 
observe  how  they  interact  and  evolve. 

These  software  beings  don't  have  names, 
but  they  do  have  distinct  virtual  characteris¬ 
tics,  including  gender,  life  expectancy,  size  and 
metabolism.  Their  traits  will  be  passed  on  as 
they  reproduce,  but  the  beings  will  also  be  able 
to  learn  and  gain  new  characteristics. 

So  far,  thousands  of  artificial  beings  have 
been  created  in  a  single  computer,  but  the  goal 
is  to  create  a  cluster  of  computers  to  host  poten¬ 
tially  millions  of  them,  says  Gusz  Eiben,  the 
project  leader  and  a  professor  at  Vrije  Universit- 
eit  in  the  Netherlands. 

The  results  of  the  research  could  be  applied 
to  several  fields.  Sociologists,  anthropologists 
and  politicians  could  use  it  to  simulate  reactions 
to  events  such  as  elections.  Game  developers 
could  use  the  findings  to  create  more  intelligent 
characters  that  can  learn  and  adapt.  “Giving 
intelligence  to  them  would  make  the  games 
more  challenging,”  Eiben  says. 

Computers  randomly  generate  the  beings, 
groups  of  which  live  in  worlds  that  the  research¬ 
ers  create  to  present  them  with  different  chal¬ 
lenges.  Built-in  algorithms  allow  the  beings  to 
create  language,  work  together,  and  distinguish 
between  friend  and  foe.  Researchers  will  dis¬ 
cover  how  the  beings  learn  and  interact  by 
studying  the  choices  they  make.  At  least  at 
first,  the  researchers  aren’t  likely  to  develop  a 
visualization  tool  that  would  allow  observers  to 
see  figures  interacting  on  a  computer  screen. 
Instead,  graphs  will  plot  details,  like  the  num¬ 
ber  of  beings,  which  overtime  will  allow  the 
researchers  to  follow  their  activities,  including 
reproduction  and  death. 

The  project,  which  began  in  2004,  is  being 
funded  with  a  $2  million  grant  from  the  Euro¬ 
pean  Union  to  five  universities. 

-Nancy  Gohring 


How  to  Align  IT  with 
Business  Innovation 


management  report  Unleashing  the  innovative  power  of  the  IT 
organization  is  a  goal  for  many  CIOs.  But  how  is  it  supposed  to  happen?  According 
to  a  recent  study  by  Forrester  Research,  the  solution  could  be  to  let  the  enterprise 
architects  play  a  key  role  as  coordinators  and  facilitators  for  a  company’s  innovation 
initiatives. 

The  architects  are  the  people  within  the  IT  organization  who  are  best  suited  for 
the  mission,  says  Forrester  analyst  Alex  Cullen,  because  they  have  an  overall  view  of 
the  company  and  are  plugged  into  business  strategy.  And  because  they  are  technol¬ 
ogy  generalists,  they  are  better  at  seeing— and  dealing  with— new  things  than  more 
specialized  IT  managers. 

The  enterprise  architecture  group's  role  is  mainly  as  a  facilitator:  to  build  an  inno¬ 
vation  team,  says  Cullen.  Participants  in  this  so-called  innovation  network  should 
come  from  all  over  the  company  and  include  both  business  and  IT  people.  The  team's 
role  is  to  behave  as  a  funnel,  channeling  ideas  from  a  variety  of  sources,  including 


technical  publications,  other  companies,  academia  or  the  consumer  market. 

“What  happens  in  the  beginning  is  that  the  people  in  charge  of  the  process  will 
bring  in  a  lot  of  ideas  themselves  that  they  find  in  different  places,”  Cullen  observes. 
"If  it  goes  well,  other  people  will  be  encouraged  and  do  the  same  thing,”  but  in  the 
beginning,  the  enterprise  architects  should  prime  the  pump. 

Promising  ideas  need  to  be  bounced  against  potential  business  uses,  he  adds.  If  a 
company  decides  to  pursue  them,  then  the  enterprise  architecture  group’s  role  is  to 
deliver  the  technologies  and  IT  services  necessary  to  execute  the  ideas.  For  example, 
a  sales  management  organization  might  be  alerted  to  the  potential  for  podcasting 
as  the  means  for  continuous  sales  training,  but  it  will  need  a  technical  infrastructure 
and  the  production  of  training  materials  to  turn  the  idea  into  reality. 

For  Cullen,  the  bottom  line  is  that  IT  needs  to  contribute  to  innovation  equally 
with  business  leaders.  Letting  the  enterprise  architects  take  a  leadership  role  is  a 
first  step  toward  aligning  IT  with  the  business  innovation  process. 

-Alexandra  Heymowska 
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How  Your  "Fist”  Gan  Talk 


authentication  What’s  the  best  way  to  ID  a  DJ? 
This  is  a  question  that  John  Heaven  thought  long  and  hard 
about  three  years  ago,  when  his  company,  Musicrypt,  was 
trying  to  create  a  better  way  for  record  companies  to  get  their 
music  into  the  hands  of  the  reviewers  and  radio  stations. 

In  the  past  this  had  been  done  by  mailing  thousands  of 
CDs  and  press  kits,  but  Heaven  knew  that  online  distribu¬ 
tion  would  be  faster  and  less  expensive.  That’s  when  some 
little-known  research,  begun  by  Allied  intelligence  services 
during  World  War  II,  saved  the  day. 

During  the  war,  the  Allies  discovered  they  could  track 
German  telegraph  operators  by  identifying  each  operator’s 
unique  style  of  typing  code,  something  known  as  “the  fist  of 
the  sender.”  Forty  years  later,  researchers  took  this  discov¬ 
ery  to  the  computer  keyboard  and  found  that  individuals 
could  also  be  identified  by  the  rhythm  of  their  typing. 

The  technology  for  making  these  identifications  eventually 
landed  in  the  hands  of  the  company  BioPassword.  After  tak¬ 
ing  about  nine  samples  of  an  eight-  to  16-keystroke  password, 


the  company’s  software  is  able  to  identify  the  “fist”  of  the 
typist  about  98  percent  of  the  time.  Musicrypt  decided  to  use 
the  software  to  authenticate  anyone  who  accesses  its  tunes. 

Now  BioPassword  hopes  to  make  inroads  with  financial 
services  companies,  capitalizing  on  growing  fears  of  fraud 
and  identity  theft,  as  well  as  federal  guidelines  that  call  for 
banks  to  beef  up  their  online  authentication  techniques  by 
year’s  end. 

The  software  is  being  used  by  a  number  of  smaller  regional 
banks,  including  Washington  State’s  CharterBank,  San  Anto¬ 
nio  City  Employees  Federal  Credit  Union  and  the  Automotive 
Federal  Credit  Union  in  Ann  Arbor,  Mich. 

Nevertheless,  the  company  has  to  prove  itself  as  a  cred¬ 
ible  alternative  to  more  established  competitors  such  as  RSA 
Security,  says  Andrew  Jaquith,  senior  analyst  with  Yankee 
Group  Research.  “I  think  they’re  going  to  have  some  chal¬ 
lenges  getting  over  the  credibility  gap,”  he  says.  “But  it  has 
the  benefit  of  being  simple,  and  simple  is  good.” 

-Robert  McMillan 
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WHEN  THE  NEW  JOB  ISN’T  IN  I.T.: 

Tips  for  Making  the  Transition 


on  the  move  CIOs  moving  into 
roles  outside  of  IT  can  rest  easy  during 
the  transition  knowing  that  in  their  new 
positions  they’ll  rely  on  some  of  the 
same  skills  that  made  them  success¬ 
ful  CIOs:  their  ability  to  think  strategi¬ 
cally  and  to  attract  and  retain  talented 
individuals  to  carry  out  their  plans. 

Among  the  CIOs  who  migrated  out  of 
IT  this  spring: 

•  Rudi  Huber,  who  as  Alcoa’s  new 
European  president  now  coordinates 
HR,  legal,  media  and  government  affairs 
operations  in  Europe  and  Russia. 

•  Otis  Sawyer,  who  now  oversees 
IT,  transportation,  logistics  and  fabric 
procurement  as  La-Z-Boy’s  senior  VP  of 
corporate  operations. 

•  Bobby  Burg,  who  was  promoted 


to  senior  VP  of  operations  and  supply 
chain  strategy  at  Southern  Wine  & 
Spirits. 

•  Mike  Thyken,  who  was  appointed 
Select  Comfort’s  VP  of  process  develop¬ 
ment. 

•  Rhonda  Basset  Spiers,  former  CIO 
of  software  maker  BEA,  who  is  now  the 
COO  of  home  entertainment  systems 
provider  Control4. 

Even  though  CIOs  taking  on  non-IT 
roles  can  carry  over  their  skills,  the 
transition  can  be  bumpy.  Asiff  Hirji,  the 
former  CIO,  now  COO,  of  TD  Ameritrade, 
says  one  of  the  biggest  challenges  in 
the  first  few  months  of  a  non-IT  job  can 
be  the  temptation  to  stay  involved  in 
old  projects  and  weigh  in  on  technology 
decisions.  Accordingly,  he  advises  CIOs 


Rudi  Huber 


to  distance  themselves  from  their  IT 
organizations. 

When  former  CIOs  remain 
involved  in  the  tactical  aspects 
of  IT,  colleagues  may  not  take 
them  seriously  in  their  new 
position,  he  says.  Meanwhile, 
the  distractions  from  their 
new  responsibilities  may 
cause  them  to  fail. 

To  make  it  easier  to  let  go  of  the  IT 
reins,  Hirji  recommends  appointing 
someone  you  trust  to  the  position  you’re 
vacating  and  handing  full 
authority  for  IT  decisions  to 
that  person-even  when,  as 
is  the  case  with  Hirji,  the  new 
CIO  reports  to  you.  “If  you  do 
the  right  thing  in  picking  your 
own  successor,  technology 
will  take  care  of  itself  so  you 
can  stop  worrying  about  it,"  he  says. 

-Meridith  Levinson 


Mike  Thyken 
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Read  Meridith  Levinson’s  MOVERS  AND  SHAKERS  blog  for  the  latest  moves.  Find  it  at  blogs.cio.com. 
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TRENDLINES 


IT  Laughs  @  Itself 


culture  A  British  TV  show  has  taken  the  best  and  worst  of  IT  admin¬ 
istrator  stereotypes  and  packed  them  into  a  clever,  side-splitting  comedy. 

The  IT  Crowd  features  Jen,  who  has  been  appointed  as  a  supervisor  in  her 
company’s  IT  department  but  knows  nothing  about  computers.  When  asked 
during  her  job  interview  what  she  knows  about  IT,  she  says,  “You  know,  e-mail. 
Sending  e-mail.  Receiving  e-mail.  Deleting  e-mail.  Urn,  I  could  go  on.” 

But  Jen’s  social  skills  are  sorely  needed  to  raise  the  profiles  of  Moss 
and  Roy,  two  hopelessly  geeky  IT  administrators  banished  to  a  dingy 
basement  office  strewn  with  hardware  detritus.  Roy  arrogantly  advises 
computer-challenged  employees  who  call  him  with  a  problem  to  turn  their 
computers  off  and  on  again,  which  usually  allows  him  to  go  back  to  read¬ 
ing  his  comic  books. 

Coworker  Moss  is  a  stiff-spined  nerd  with  thick  glasses,  whose  deft 
technical  knowledge  but  nonexistent  social  skills  landed  him  a  desk  next 
to  Roy's.  When  Jen  makes  the  mistake  in  one  episode  of  asking  Moss  a 
techie  query,  Moss’s  answer  is  humorously  dubbed  over  with  the  sound 
of  static  as  Jen  blankly  stares. 

And  then  there’s  Richmond  the  Goth,  whose  Marilyn  Manson-like 
attire  sent  his  career  path  askew.  He  is  now  in  charge  of  a  mysterious 
bank  of  blinking  lights  that  presumably  power  their  building's  network. 

The  show’s  creators  have  sprinkled  surprising  hints  of  cool  for  street- 
geek  cred,  such  as  the  stickers  on  the  IT  office’s  door  from  the  online  rights 
advocacy  group  Electronic  Frontier  Foundation  and  the  passive-aggressive 
slogans  on  Roy’s  technology-themed  T-shirts.  The  IT  Crowd  pounds  on  nerd 
stereotypes— Roy  stumbles  and  bleeds  in  several  episodes,  while  Moss’s 
odd  rigidness  renders  him  impotent  in  normal  conversation— but  their  high 
comic  moments  melt  any  degrading  perceptions  of  their  jobs. 

The  show's  successful  six-episode  run  last  fall  has  led  Britain’s  Channel 
4,  a  publicly  owned  nonprofit  station,  to  commission  another  season. 

Those  shows  are  likely  to  air  in  2007  in  the  United  Kingdom. 

-Jeremy  Kirk 


Why 

Change 

Hurts  _ 

leadership  Change  hurts.  That’s  not 
a  metaphorical  statement.  Change— the  hope 
of  all  innovative  corporate  leaders— induces  a 
physiological  reaction  in  the  brain  that  results 
in  stress,  discomfort  and  pain. 

Scientists  have  known  that  for  years.  The 
news,  according  to  UCLA  research  psychiatrist 
Jeffrey  M.  Schwartz  and  leadership  guru  David 
Rock,  is  that  by  focusing  attention  on  certain 
insights  and  ideas,  humans— and  even  large, 
inertia-anguished  companies— can  combat  this 
physical  resistance  to  change. 

When  a  person’s  expectations  are  chal¬ 
lenged,  the  brain  fires  a  distress  signal.  But  say 
an  employee  comes  up  with  a  way  to  cope  with 
a  new  demand.  Then  the  Aha!— the  moment 
of  insight— creates  enough  positive  energy  in 
the  brain  to  counter  the  negative  feelings  about 
change.  In  leadership  lingo,  if  employees  are 
going  to  embrace  change,  they  need  to  own  it. 

A  leader’s  role,  according  to  Rock,  is  to  help 
facilitate  insight  across  the  organization.  But 
that’s  not  all.  Individual  brains  are  shaped  by 
behavior.  That  means  that  in  the  long  run,  lead¬ 
ers  who  make  a  habit  out  of  change  can  undo 
the  hardwiring  that  causes  brains  to  fight  it.  “If 
you  can  create  in  your  organization  a  powerful 
expectation  of  change,  then  you  can  begin  to 
create  a  counterbalance  to  these  physiological 
reactions,”  Schwartz  says. 

The  Rock  and  Schwartz  approach  has  impli¬ 
cations  for  time-honored  leadership  techniques: 

•  Incentives— carrots  and  sticks— are  ineffec¬ 
tive  at  an  individual  level. 

•  Sharing  your  own  solutions  and  insights 
with  employees  has  limited  influence  on  their 
behavior. 

•  Constructive  criticism  tends  to  focus  too 
heavily  on  problems.  Instead,  Rock  recom¬ 
mends  “constructive  creationism”:  asking 
employees  how  they  might  develop  new, 
improved  habits  and  how  you  can  help  them. 

“Once  you  learn  these  principles,  any  other 
way  of  communicating  is  annoying,”  says  Rock. 
“You  can  see  when  you’re  fighting  the  brain 
instead  of  harnessing  its  energy.” 

-Samar  Farah 


20  AUGUST  1,  2006  |  www.cio.com 


PHOTO  BY  DAVID  SAMUEL  ROBBINS/GETTY  IMAGES 


mmm 

vlulmhmixi 


mmmm 


If %'*}y 


M’.V  £*'•>>  f.U.  :1  '  i-v  .*•  >  •  /••0-  - .  ;•/<  :.>'•■■■/  $  if  !  r  •  s'?  *  '.’  -rtf  r  ..; 


’*J> -■ .?‘V  ‘  V  /•• r  •  *-V  I  »v 
■<  ‘ y* / Lfj /  J  '1j  ■t:,t 


ital.  EMC®  Documentum®  content  management 


:,  securing,  managing, 
isk,  realize  new  revenue,  and  lower  costs  mo 
help  you  do  the  same,  visit  software.EMC.com.  /  ’ 

EMC,’  EMC,  Documentum,  and  Where  information  iives  are  registered  trademarks  of  EMC  Corporation.  ©  Copyright  20p6  EMC  Corporation.  AH  rights  reserved. 

:  •:'■  .  ■  '  '..V'v'iT^  :.:wiV>'  -  '  '  ' 


BJmi 


(3  1 


•*'}*)$ 'f  '  ’’ '>*wM !  r'ijf '•?.!•, V.v/rt/i^-.VA'-W  ‘ 

ifiiiiMWWM 


where  information  lives® 


;W3 


^ — ..._,., — . - - - - ,  ■:• 


/  • ' 


IS 


M 


M 


< 


W 


■  ■'  0,1-'") 


m3 


«  * 


68 


K 


0 


FROM  INCEPTION  TO  IMPLEMENTATION  — I. T.  THAT  MATTERS 


ESSENTIAL  FROM  INCEPTION  TO  IMPLEMENTATION  — I. T.  THAT  MATTERS 

technology 


Storage  needs 
increase  as 
companies 
grow.  But  which 
competing 
technology 
should  you 
bet  on? 


Data  Looks  for  a  Home 

BY  CINDY  WAXER 

STORAGE  |  For  a  company  whose  bread  and  butter  is  producing  crude  oil,  Newfield 
Exploration’s  storage  environment  was  fast  running  out  of  gas.  Saddled  with  a  mix  of 
disparate  systems,  platforms  and  applications,  the  $1.7  billion  Houston  company’s  stor¬ 
age  environment  was  “a  mess,”  according  to  Mark  Spicer,  Newfield’s  vice  president  of 
IT.  Servers  had  to  be  rebooted  twice  a  day  to  ensure  availability,  and  keeping  tabs  on  an 
overburdened  architecture  was  draining  scarce  IT  resources.  With  a  workforce  growing 
at  an  annual  rate  of  20  percent,  Newfield  Exploration  was  in  desperate  need  of  greater 
storage  capacity. 

“We  were  just  starting  to  reach  critical  mass,  so  we  really  needed  to  overhaul  the  whole 
storage  system  to  plan  for  growth,”  says  Spicer. 

Newfield  Exploration  could  have  opted  for  age-old  fibre  channel  technology.  Instead, 
in  early  2003  the  company  turned  to  NetApp  for  its  iSCSI-based  storage  area  network. 
Unlike  with  traditional  network  storage  protocols  such  as  fibre  channel,  operating  iSCSI 
(Internet  Small  Computer  System  Interface)  requires  only  an  Ethernet  interface  or  any 
other  TCP/IP-capable  network.  Gone  is  the  pricey  equipment  and  specialized  hardware 
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knowledge  often  demanded  of  a  fibre  chan¬ 
nel  (FC)  SAN  deployment.  With  iSCSI,  the 
promise  is  that  companies  can  achieve  a 
low-cost  and  easy-to-maintain  centraliza¬ 
tion  of  storage. 

While  it  was  risky  to  take  a  chance  on 
a  relatively  new  storage  solution  such  as 
iSCSI,  Spicer  says  the  decision  has  paid  off. 
By  implementing  NetApp  iSCSI  connectiv¬ 
ity  to  store  Windows  application  data  such 
as  Exchange  stores,  Web  stores  and  SQL 
Server  databases,  Newfield  Exploration 
has  improved  performance  by  20  percent, 
leveraged  its  existing  Ethernet  infrastruc¬ 
ture  and  greatly  expanded  storage  capacity 
without  having  to  add  personnel— a  cost 
savings  of  at  least  $85,000  a  year. 

Newfield  Exploration  is  just  one  of  many 
midsize  companies  gradually  making  the 
move  to  iSCSI.  Businesses  have  long  relied 
on  FC-SANs  to  offer  rapid  data  transfer 
rates,  enormous  bandwidth  and  highly 


bus  adapter  and  drivers,  all  it  takes  to 
connect  a  server  to  an  iSCSI  network  is  a 
gigabit  Ethernet  network  interface  card. 
Such  ease-of-use  is  particularly  attractive 
to  today’s  midsize  businesses  with  limited 
IT  resources  and  tight  budgets.  And  where 
FC-SANs  often  demand  a  hefty  investment 
in  storage  administrators,  most  IT  profes¬ 
sionals  already  possess  a  considerable 
knowledge  of  Ethernet  technology. 

“iSCSI  has  emerged  as  a  completely 
legitimate  mainstream  alternative  to 
fibre  channel,”  says  John  Sloan,  a  senior 
research  analyst  for  Info-Tech  Research 
Group.  According  to  a  recent  Info-Tech 
study,  while  spending  on  FC-SANs  is  vir¬ 
tually  nonexistent  among  enterprises  with 
fewer  than  100  employees,  in  enterprises 
with  100  to  500  employees,  FC  and  iSCSI 
are  receiving  equal  customer  attention. 

Despite  this  increasing  popularity, 
iSCSI  has  been  surrounded  by  its  fair 


The  arrival  of  iSCSI  has  heralded 
a  user-friendly— and  considerably 
cheaper— alternative  to  fibre 
channel  SANsfor  midsize  and 
cash-strapped  businesses. 


predictable  performance  for  mission- 
critical  applications.  Such  peak  perfor¬ 
mance  is  especially  critical  to  companies 
that  depend  on  applications  for  processing 
sensitive  financial  information  and  confi¬ 
dential  customer  data.  But  the  arrival  of 
iSCSI  has  heralded  a  user-friendly— and 
considerably  cheaper— alternative  for  mid¬ 
size  and  cash-strapped  businesses.  And 
vendors  such  as  EMC,  EqualLogic,  Hewlett- 
Packard  and  NetApp,  are  fast  catching  on  to 
the  trend,  making  iSCSI  a  key  part  of  their 
storage  solution  portfolios. 

iSCSI  Pros  and  Cons 

The  allure  of  iSCSI  is  easy  to  understand. 
Whereas  an  FC-SAN  deployment  calls 
for  the  installation  of  a  high-priced  host 


share  of  controversy.  For  starters,  prom¬ 
ises  of  immediate  cost  savings  have  often 
not  been  realized,  according  to  Robert 
Passmore,  VP  of  research  at  Gartner. 
“CIOs  need  to  understand  that  the  sav¬ 
ings  [of  iSCSI]  have  been  exaggerated,” 
he  says.  “Therefore,  it’s  important  to  look 
at  the  trade-offs  and  understand  the  posi¬ 
tives  as  well  as  the  negatives.” 

Chief  among  these  negatives  is  the  secu¬ 
rity  risk  iSCSI  can  introduce  to  the  enter¬ 
prise.  In  the  case  of  FC-SANs,  the  cables 
are  inside  a  data  center  that  only  employ¬ 
ees  can  access.  And  even  an  ill-intentioned 
employee  would  have  a  tough  time  find¬ 
ing  the  tools  he  would  need  to  hack  into 
fibre  channel.  But  iSCSI  is  another  story. 
“Anybody  with  a  PC  made  in  the  last  10 


Howto 
Secure  an 
iSCSI  SAN 

Answer:  Unplug  it 

For  all  its  promises  of  user-friendli¬ 
ness  and  low-cost  storage,  a  storage 
area  network  based  on  Internet  Small 
Computer  System  Interface  (iSCSI) 
can  present  some  daunting  security 
risks  to  today’s  mid-market  compa¬ 
nies.  After  all,  iSCSI  is  essentially  a 
combination  of  two  protocols— TCP/IP 
and  SCSI— neither  of  which  possesses 
built-in  security  features.  Vendors 
have  taken  steps  to  deliver  CIOs 
greater  peace  of  mind  by  introducing 
password  authorization  provisions 
and  optional  protection  mechanisms 
such  as  IPSec  that  act  as  a  network 
layer,  promising  the  safe  transmission 
of  data  over  unprotected  networks 
(such  as  the  Internet).  But  when  it 
comes  to  guaranteed  safety,  Gartner 
analyst  Robert  Passmore  says,  “The 
answer  is  isolation.” 

By  unplugging  an  iSCSI-based 
SAN’s  Internet  cable,  a  company  can 
isolate  iSCSI  traffic  on  a  separate  net¬ 
work  and  prevent  unauthorized  users 
from  accessing  sensitive  information. 
After  all,  says  Passmore,  “There’s  no 
fundamental  reason  to  connect  iSCSI 
to  a  public  network." 

-CM. 

years  and  some  shareware  can  tap  in  and 
see  exactly  what’s  going  on  over  that  net¬ 
work,”  Passmore  warns. 

The  Fibres  that  Bind 

The  need  for  a  reliably  secure  storage  sys¬ 
tem  drove  Capital  Region  Orthopaedic 
Group  to  select  fibre  channel.  Members  of 
the  24-physieian  practice  based  in  Albany, 
N.Y.,  handle  nearly  90,000  office  visits 
each  year  and  upward  of  5,000  surgical 
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cases.  In  early  2002,  Capital  Region  Ortho¬ 
paedic  opted  to  move  from  paper  charts 
and  film-based  X-rays  to  an  all-electronic 
health  records  system  and  a  digital  picture 
archiving  and  communications  system,  or 
PACS.  While  the  transition  was  intended 
to  help  Capital’s  physicians  electronically 
access  everything  from  exam  notes  to  dig¬ 
ital  X-ray  images,  the  size  of  the  required 
database  posed  a  problem.  Each  digital  X- 
ray  comprises  several  megabytes  of  data, 
and  Capital  Region  Orthopaedic  produces 
thousands  of  X-rays  each  year. 

“Once  we  looked  at  the  level  of  needs  and 
projections  for  storage  necessities,  we  knew 
that  we  needed  to  move  to  a  SAN,”  says 
Raymond  DeCrescente,  Capital  Region 
Orthopaedic’s  CTO. 

To  support  the  PACS  application,  Capi¬ 
tal  Region  Orthopaedic  traded  in  its  sin¬ 
gle-server  storage  system  for  an  FC-SAN 
from  HP.  This  FC-SAN  can  be  scaled  up 
to  12  terabytes,  providing  instantaneous 
access  to  the  past  year’s  images.  It  took 
three  weeks  to  deploy  the  new  storage 
system,  which  represents  a  $480,000 
financial  investment,  including  serv¬ 
ers,  storage  and  fibre  channel.  Although 
far  from  cheap,  it’s  an  expenditure  that 


In  fact,  for  all  the  strides  made  by  iSCSI 
vendors,  fibre  channel  isn’t  likely  to  be  dis¬ 
placed  by  its  more  cost-effective  counter¬ 
part  anytime  soon.  According  to  Gartner, 
worldwide  revenue  for  iSCSI-based  solu¬ 
tions  is  expected  to  grow  from  less  than 
$300  million  in  2006  to  nearly  $1.6  billion 
in  2009.  But  while  combined  iSCSI  and 
fibre  channel  sales  are  projected  to  reach 
$20  billion  in  2009,  fibre  channel  will  rep¬ 
resent  a  whopping  79  percent  of  that. 

What’s  more,  although  iSCSI  has  typi¬ 
cally  been  cheaper  to  acquire,  fibre  chan¬ 
nel  vendors  are  now  driving  down  their 
costs  with  easy-to-install,  out-of-the-box 
offerings. 

“Everybody  is  pushing  to  extend  SAN 
technology  into  the  midsize  and  smaller 
[market]  so  vendors  are  being  more  cost- 
conscious.  You  just  can’t  get  away  with 
charging  six  figures  for  storage  anymore,” 
says  Sloan  of  Info-Tech. 

Why  You  Don’t  Have  to 
Choose 

The  rising  costs  of  iSCSI  is  why  analysts 
recommend  looking  beyond  the  bottom 
line  when  selecting  a  storage  solution. 
While  it’s  easy  to  be  seduced  by  a  vendor’s 


“Whilefibrechannel  is  more 
expensive,  it’s  much  more  robust, 
more  secure  and  less  susceptible 
to  some  of  the  problems  that 
you  can  have  with  iSCSI.” 

-CTO  Raymond  DeCrescente,  Capital  Region  Orthopaedic 


Combined 
worldwide 
revenue 
for  iSCSI 
and  fibre 
channel 
sales  are 
expected 
to  reach 
$20  billion 
in  2009 

SOURCE:  Gartner 


As  it  turns  out,  some  companies  are 
refusing  to  pick  sides  and  instead  are  opt¬ 
ing  for  combining  both  in  a  hybrid  storage 
model.  Growing  midsize  companies  with 
an  iSCSI  solution  already  in  place  can  eas¬ 
ily  add  fibre  channel  onto  the  infrastruc¬ 
ture  as  the  need  for  additional  capacity 
arises.  In  turn,  enterprises  with  large 
investments  in  fibre  channel  can  opt  to 
connect  remote  servers  into  the  networks 
using  iSCSI. 

“The  key  thing  is  that  for  many  storage 
applications  in  the  small  to  midsize  enter¬ 
prise  space,  iSCSI  versus  fibre  channel  is 
irrelevant,”  says  Sloan.  “What  matters  is 
that  you  get  the  best  storage  utilization  and 
management  features  for  your  dollar.”  ESQ3 


DeCrescente  says  guarantees  the  growing 
practice  will  have  a  secure  solution  and 
the  HIPAA-required  protection  of  confi¬ 
dential  medical  records. 

“While  [fibre  channel]  is  more  expen¬ 
sive,  it’s  much  more  robust,  more  secure 
and  less  susceptible  to  some  of  the  prob¬ 
lems  that  you  can  have  with  iSCSI,”  says 
DeCrescente. 


promise  of  instant  savings,  companies  need 
to  recognize  the  respective  limitations  of 
both  fibre  channel  and  iSCSI.  For  example, 
an  iSCSI  deployment  may  cost  a  fraction 
of  the  price  of  a  fibre  channel  installation, 
but  those  savings  can  easily  be  offset  by  the 
need  for  additional  security  measures.  (For 
more  on  security  implications,  see  “How  to 
Secure  an  iSCSI  SAN,”  Page  23.) 


Cindy  Waxer  is  a  Canada-based  freelancer.  Send 
feedback  to  drosenbaum@cio.com. 


All  About  Storage 


For  more  on  data  centers  and  storage, 
visit  our  DATA  STORAGE  AND  MINING 
RESEARCH  CENTER  at  www.cio.com/km/ 
data/index. html. 
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How  the  Doughboy  graces  millions  of 
dinner  tables.  Always  in  a  timely  fashion 


Each  day,  Pillsbury  products  and  other  General  Mills  brands  appear  in  millions 
of  shopping  carts  around  the  world.  HP  Integrity  servers  with  Intel®  Itanium®  2 
processors  help  keep  distribution  and  inventory  control  systems  running 
smoothly.  "With  their  continuous  performance  and  support,  we  are  able  to 
ensure  that  customer  orders  and  shipments  are  processed  quickly  and 
accurately,"  said  Vandy  Johnson,  Director  of  I.S.  Operations.  "And  that's 
a  comforting  thought.”  itanium-integrity.com 


ITANIUM  +  INTEGRITY.  ON  AND  ON  AND  ON 
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CAREER  COUNSEL 


Breaking  Away 

Former  CIOs  offer  advice  on  how  to  leave  the  comforts  (and  constraints)  of  a  steady  job  and 
make  your  fortune  as  a  freewheeling  consultant 


Perhaps  it  was  at  the  end  of  a  tough  week  of  office 
politics.  Or  just  after  a  business  head  changed  the 
specs  on  a  major  new  build.  At  some  point  as  CIO, 
you  must  have  thought  to  yourself,  “Maybe  it’s 
time  to  try  consulting.” 

As  clients,  we  often  see  consultants  as  a  necessary  evil.  But 
from  time  to  time,  we  have  all  imagined  that  life  on  the  other 
side  must  be  sweet.  No  politics,  no  tedium,  no  staff  evaluations. 
Just  loads  and  loads  of  billable  hours. 

None  of  the  ClOs-turned-consultants  I  spoke  with  describe 
their  careers  in  such  idealistic  terms  but  they  do  acknowledge 
that  they  have  reaped  benefits  from  making  the  move.  With 
their  experiences  as  a  guide,  here  are  three  models  for  pursu¬ 
ing  the  consulting  track. 

1.  Buy  a  Firm 

Months  before  Geoffrey  Hayden  vacated  his  post  as  CIO  of 
Jacuzzi  Brands,  he  knew  his  next  job  would  be  consulting. 
In  August  2005,  he  purchased  Bracken  Consulting,  which 
provides  IT  services  to  hospitality  companies.  By  the  time  he 
left  Jacuzzi  in  March  2006,  he  had  changed  the  firm’s  name  to 
Acxential  Business  Solutions,  assumed  the  position  of  presi¬ 
dent  and  built  a  business  plan  to  double  revenue  within  12 
months.  Hayden’s  advice? 

Buy,  don't  build.  Hayden  had  recently  moved  his  family 
to  Texas  and  had  neither  a  great  local  Rolodex  nor  the  flex¬ 
ibility  to  relocate.  “If  you  don’t  have  enough  strong  contacts  to 
create  a  customer  base,”  he  says,  “buy  an  established  firm.” 

Network  while  you're  CIO.  “Start  building  up  your  net¬ 
works  before  you  need  them,”  says  Hayden.  “Join  regional  CIO 
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associations  and  business  networking  groups  before  you  set 
up  shop.” 

2.  Join  a  Firm 

After  four  years  as  CIO  of  Equity  Office  Properties,  a  Fortune 
500  real  estate  company,  Scott  Morey  needed  a  change.  His 
turnaround  effort  at  Equity  was  complete.  He  asked  himself, 
“What  am  I?  A  technology  person  or  a  real  estate  person?” 
Real  estate  won  out,  so  he  took  a  managing  director  posi¬ 
tion  at  RealFoundations,  a  small  management  consultancy 
focused  on  real  estate  and  property  company  operations.  “At 
the  large  firms,  I  would  be  more  narrowly  focused,”  Morey 
says.  “The  smaller  boutique  firm  gives  me  the  flexibility  to 
start  new  service  lines,  to  rebrand  myself  as  an  operations 
person,  and  a  tremendous  diversity  of  experiences  and  learn¬ 
ing.”  He  learned  three  lessons  from  his  experience. 

Do  a  gut  check.  Ask  yourself  a  few  key  questions  before 
taking  on  a  consulting  role.  Are  you  prepared  to  travel?  To 
constantly  recreate  yourself?  Can  you  handle  rejection? 

Learn  to  listen.  “CIOs  who  fail  in  the  conversion  into 
consulting  haven’t  modified  their  approach,”  says  Morey. 
“They’re  not  a  leader,  but  an  adviser  and  a  coach.  Listening 
is  as  important  to  selling  your  consulting  services  as  it  is  to 
being  successful  once  you’re  engaged  in  the  work.” 

Draw  from  multicompany  experience.  “If  you  rely 
solely  on  your  last  experience  as  CIO,  you  risk  alienating  your 
client,”  says  Morey.  “If  you  come  in  and  say,  ‘I  come  from  the 
best  and  we  can  fix  it  for  you,’  you  will  appear  too  narrow  in 
your  expertise.” 

3.  Go  the  Independent  Route 

While  Patricia  Wallington  was  CIO  of  Xerox,  her  husband 
became  critically  ill  and  she  wanted  more  personal  flexibility 
to  accommodate  his  needs.  Consulting  was  a  path  toward  a 
greater  choice  of  work  assignments  and  more  control  over  her 
schedule.  Wallington  is  an  independent  consultant,  responsi¬ 
ble  for  her  own  business  development  and  project  execution. 
She  offers  several  pieces  of  advice. 

Be  focused,  but  not  too  focused.  “One  of  my  clients 
had  some  troubled  projects,  so  project  management  was  what 
I  offered  them,”  says  Wallington,  founder  of  CIO  Associates. 
“Eventually,  they  asked  me  to  do  some  leadership  coaching. 
That  service  has  become  a  core  of  my  business.”  If  you  plan  to 
do  only  what  you  were  hired  to  do,  you  may  miss  out  on  new 
ways  to  evolve  your  business. 

Don't  be  a  one-client  act.  Once  you’ve  started  to  do  good 
work  for  a  client,  that  client  may  offer  an  endless  array  of  proj¬ 
ects.  “That’s  a  trap,”  warns  Wallington.  “Don’t  be  so  consumed 
by  a  company  that  your  future  becomes  dependent  on  it.” 

The  debate  rages  on  about  how  much  consulting  is  the  right 
amount  to  have  on  your  resume.  For  those  of  you  who  have  made 
the  switch,  what  words  of  wisdom  can  you  offer? 


The  Last  Word 


Martha  Heller  responds  to  readers’  comments 


A  hearty  thanks  to  all  of  the  ClOs-turned-consultants 
who  posted  in  response  to  this  column.  James  Huguelet, 
president  of  the  Huguelet  Group,  offered  a  useful  list  of 
questions  any  CIO  ought  to  ask  before  making  the  move: 

Will  I  be  as  comfortable  taking  directions  and  accepting 
decisions  as  I  was  giving  directions  and  making  decisions? 

Will  I  be  fulfilled  operating  at  a  lower  level  of  responsi¬ 
bility  and  involvement  than  when  I  was  a  CIO? 

Will  I  enjoy  rolling  up  my  sleeves  and  being  a  "doer” 
(creating  deliverables  like  documents),  when  I  was  always 
a  “leader”  (deciding  what  deliverables  were  needed)? 

If  you  can  answer  “yes”  to  these  questions  and  those 
posted  in  the  column,  you  may  well  enjoy  a  successful  turn 
as  a  consultant.  But  that  still  begs  the  question:  Is  there  a 
career  benefit  to  consulting? 

Like  the  response  to  most  good  questions,  the  answer 
is:  "It  depends."  If  what  you  seek  long  term  in  your  career 
is  a  new  senior-level  executive  position  where  you  are 
effective,  challenged,  fulfilled  and  successful,  consult¬ 
ing  can  be  a  powerful  transitional  move.  But  if  you  do  not 
treat  it  strategically,  consulting  may  not  help  you  achieve 
this  goal. 

Let’s  say  you  know  that  you  want  to  be  the  CIO  of  a 
consumer  packaged-goods  company.  Make  a  list  of  target 

companies,  then  join 
a  consultancy  that  will 
expose  you  to  senior 
executives  at  these 
businesses.  When  you 
have  secured  a  consult¬ 
ing  engagement  with 
one  of  your  targets,  build  up  your  internal  contacts.  Once 
you  have  built  solid  relationships,  you  will  be  privy  to  exec¬ 
utive-level  changes  and  decision-making  processes,  which 
will  help  as  you  pursue  employment.  Plus,  as  a  valued  con¬ 
sultant,  you  will  have  the  credibility  to  set  you  apart  from 
other  candidates. 

If  you  treat  your  time  in  consulting  strategically,  you  will 
emerge  with  skills,  experiences  and  contacts  that  are  finely 
tuned  to  your  next  executive  position.  But  if  you  don’t, 
all  you’ll  have  to  show  for  it  is  a  big  stack  of 
frequent  flier  miles.  QEl 


Martha  Heller  is  managing  director  of  the  IT  Leadership 
Practice  at  the  Z  Resource  Group,  an  executive  recruit- 


Join  the  Conversation 


Respond  to  Martha  Heller’s  latest 
online  column  by  visiting  www.cio 
.com/career/boost/index.html. 

cio.com 


ingfirm  in  Boston.  Reach  her  at  mheller@zrgroup.com. 
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No  Marketing,  No  Sale 


People  believe  that  if  they  work  hard  and  do  the  right  thing,  others  will  notice  and  reward 
them.  But  in  the  real  world,  you  have  to  beat  your  own  drum,  by  larry  bonfante 


Many  IT  executives  frown  at  the  thought  of  market¬ 
ing  IT  internally.  It  conjures  up  visions  of  loud¬ 
mouths  delivering  sales  pitches— the  kind  of 
people  we’d  prefer  to  avoid.  If  we  wanted  to  get 
into  marketing,  we  would  have  gotten  into... well-marketing.  But 
what  marketing  is  really  about  is  educating  people  about  some¬ 
thing  that  you’re  passionate  about.  For  instance,  some  of  you 
probably  spend  hours  regaling  your  friends  about  your  tennis 
game.  As  CIO  of  the  United  States  Tennis  Association  (USTA),  I’d 
like  to  thank  you  for  marketing  our  sport! 

Many  of  us  grew  up  believing  that  if  we  worked  hard  and  did 
the  right  things,  people  would  notice  and  reward  us.  Unfortu¬ 
nately,  things  don’t  always  work  out  that  way.  The  executives  and 
board  members  who  are  critical  to  our  jobs  have  countless  issues 
being  thrown  at  them  all  the  time.  Unless  we  market  our  ideas  to 
them— communicate  and  educate— we  will  never  capture  their 
attention,  attention  that  we  need  to  succeed. 

Why  Names  Are  Important 

Marketing  is  never  more  important  than  when  you’re  trying  to 
turn  around  an  underperforming  IT  organization.  When  I  began 
my  tenure  at  the  USTA,  our  IT  team  had  a  bad  reputation  and  no 
credibility.  After  I  listened  to  my  clients  to  understand  what  they 
perceived  the  problems  to  be,  my  first  step  was  to  develop  and 
market  an  action  plan  to  address  them.  I  named  this  plan  “Opera¬ 
tion  CPR.”  The  acronym  stood  for  the  three  areas  our  clients  had 
identified  as  shortcomings:  communications,  projectdelivery  and 
responsiveness.  Calling  it  an  “operation”  helped  my  team  under¬ 
stand  that  we  were  in  a  battle,  and  CPR  reminded  them  about  the 
areas  in  which  we  needed  to  improve.  (It’s  not  only  your  clients  to 
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whom  you  need  to  market  but  your  own  people  too.  What  your 
staff  thinks,  feels  and  says  to  others  in  the  quiet  moments  when 
you  are  not  around  will  have  a  more  profound  impact  on  how 
people  see  IT  than  the  messages  you  deliver  from  the  pulpit.) 

By  giving  the  project  a  name  and  a  brand,  we  made  it  clear  to 
our  clients  that  we  were  taking  their  complaints  to  heart.  (I  knew 
I  had  my  work  cut  out  for  me  when  at  my  first  board  presentation 
a  member  told  me  that  CPR  wouldn’t  work  “because  the  patient 
was  already  dead.”) 

Getting  the  Message  Out 

When  marketing,  it  is  important  that  you  are  consistent  and 
constant  in  the  delivery  of  your  message.  We  use  every  vehicle 
we  can  think  of  to  drill  home  our  focus  on  communication,  proj¬ 
ect  delivery  and  responsiveness.  We  developed  an  IT  scorecard, 
administered  twice  a  year,  with  almost  all  the  metrics  we  track 
tied  back  to  those  three  major  themes.  We  present  the  results 
(the  good,  the  bad  and  the  ugly)  as  well  as  all  the  comments 
we  receive  at  our  IT  committee  sessions  at  USTA’s  annual  and 
semiannual  meetings.  This  audience  includes  board  mem¬ 
bers,  committee  chairs  and  key  executives  from  our  17  section 
offices.  This  level  of  transparency  accomplishes  two  objectives. 
It  allows  me  to  articulate  (i.e.,  market)  our  progress  and  suc¬ 
cesses  in  a  large  public  forum,  and  perhaps  more  importantly, 
this  level  of  candor  lets  people  know  that  I  can  be  trusted. 

At  these  meetings  we  also  host  an  IT  “trade  show.”  This 
provides  our  constituency  the  opportunity  to  touch  and  see 
new  IT  systems  as  well  as  mock-ups  of  innovations  we  hope 
to  deliver  in  the  next  12  to  24  months.  It  also  helps  us  drum 
up  financial  support  and  sponsorship.  We  publish  a  monthly 
newsletter  that  highlights  our  progress  on  our  major  initia¬ 
tives  and  their  business  value  (download  a  copy  by  clicking 
on  the  link  in  the  online  version  of  this  story).  It’s  critical  that 
these  IT  missives  be  written  in  clear,  concise  business  lan¬ 
guage  and  articulate  business  value.  No  geek-speak  allowed! 

For  example,  last  year  we  upgraded  the  campus  infrastructure 
at  the  National  Tennis  Center  in  Flushing  Meadows,  N.Y.,  where 
the  U.S.  Open  is  held.  Nobody  cared  that  we  rewired  the  cam¬ 
pus  or  that  we  architected  and  deployed  a  new  secure  network. 
Marketing  those  feats  would  have  been  useless.  But  people  did 

care  that  our  play¬ 
ers  had  wireless 
access  to  the  Inter¬ 
net  and  that  our 
400  media  guests 
could  converge  on 
our  media  center  at 
the  end  of  the  eve¬ 
ning  and  file  their  stories  for  the  morning  editions  of  their  papers. 
And  that’s  what  we  communicated  to  our  stakeholders. 

Last  but  not  least,  you  need  to  take  your  message  on  the  road. 


Talk  Marketing  with  Larry  Bonfante 


Join  a  teleconference  hosted  by  the  USTA 
CIO,  Aug.  9,  3:00-4:00  p.m.  ET.  Register  in 
advance  at  www.cioexecutivecouncil.com/ 
public/teleconferences. 

cio.com 


We  have  17  offices  to  which  we  provide  services.  Each  is  a  sepa¬ 
rate  legal  and  operational  entity.  Last  year  I  visited  with  each 
of  these  groups  to  listen  to  their  issues  and  to  make  sure  that 
my  message  was  playing  in  Peoria.  There’s  nothing  like  talking 
with  people  where  they  live  to  let  them  know  they’re  important 
to  you.  Executives  who  avoid  these  trips  because  they  take  too 
much  time  will  have  plenty  of  time  to  commiserate  with  other 
executives  on  the  unemployment  line. 

You  can  market  your  message 
successfully  only  if  you  are 
viewed  as  possessing  integrity. 
It's  as  important  to  report  your 
failures  as  it  is  your  successes. 


You  can  market  your  message  successfully  only  if  you  are 
viewed  as  possessing  integrity.  Consequently,  it’s  as  important 
to  report  your  failures  as  it  is  your  successes.  You  need  to  tell 
people  what  went  wrong  and  why,  and  what  you’re  planning  to 
do  about  it.  The  ostrich  approach  is  always  a  mistake.  People  are 
smart  enough  to  know  that  there  are  issues  whether  or  not  you 
tell  them  about  them. 

It  Works  If  You  Work  It 

So,  has  it  worked?  The  results  we  receive  on  our  scorecards 
have  improved  by  20  percent  over  the  past  two  years.  Our 
capital  projects  are  now  sponsored  by  our  business  unit  exec¬ 
utives,  not  by  IT,  and  our  credibility  within  the  organization 
has  improved  to  the  point  where  we’ve  evolved  from  being 
considered  a  level-two  priority  (translation:  a  huge  problem) 
to  being  seen  as  an  organizational  asset.  My  team  is  doing  a 
great  job,  and  they’re  recognized  for  it.  Perhaps  most  impor¬ 
tantly,  when  people  see  me  in  the  hallways,  they  smile  and 
come  to  talk  to  me  instead  of  mumbling  under  their  breath  and 
running  in  the  other  direction.  Sure,  the  team  members  have 
rolled  up  their  sleeves  and  worked  their  tails  off  to  improve 
and  expand  our  services  while  dramatically  lowering  our 
operating  costs,  but  who  would  know  and  understand  that  if 
we  hadn’t  marketed  our  plan  and  our  progress? 

Marketing  is  a  key  element  of  any  successful  organization.  If 
you  don’t  believe  me,  just  ask  your  CEO  how  important  market¬ 
ing  the  business’s  services  and  products  is  to  the  success  of  the 
company.  I  think  you  already  know  the  answer.  BE! 


Larry  Bonfante  is  CIO  of  the  United  States  Ten¬ 
nis  Association  and  a  member  of  the  CIO  Execu¬ 
tive  Council  and  CIO's  Editorial  Advisory  Board.  For 
more  insights  and  tools  from  Council  members,  visit 
www.cloexecutivecouncil.com/public/content.html. 
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Hard  Problems, 

Soft  Answers 

You  know  your  team  is  delivering  quality,  but  the  organization  is  not  seeing  it.  Why? 
Because  you’re  not  delivering  on  your  relationships. 


An  IT  executive  recently  said,  “As  you  move  up  in 
the  organization,  people  spend  more  time  working 
on  politics  than  they  do  on  quality.” 

I  That’s  a  pretty  depressing  thought  for  those 
who’ve  spent  years  developing  their  technical  skills  in  the 
naive  hope  that  the  results  will  speak  for  themselves.  But  when 
it  comes  to  perceptions  of  quality,  poor  relationships  can  cast  a 
dull  patina  on  even  the  shiniest  portrait. 

On  the  other  hand,  for  those  who  realize  that  delivery  is  never 
perfect,  the  fact  that  the  perception  of  quality  can  be  enhanced 
by  strong  relationships  is  empowering.  If  your  team  is  deliver¬ 
ing  day  after  day  without  receiving  the  recognition  it  deserves, 
take  a  look  at  how  you  are  managing  the  soft  side  of  delivery.  In 
our  experience,  we  have  found  that  there  are  two  common  bar¬ 
riers  to  building  relationships:  being  selfish  and  confining  your 
interactions  to  formal  meetings. 

Be  the  Guy  Next  to  You 

It’s  part  of  the  human  condition  to  live  inside  one’s  own  head— to 
assume  that  others  have  the  same  emotional  needs,  thinking 
styles  and  approaches  to  decision  making  that  you  do.  But  as 
the  Army  teaches,  “It’s  all  about  the  guy  next  to  you.”  The  best 
way  to  understand  “the  guy  next  to  you”  is  to  observe  him,  using 
one  of  the  personality  preference  tools,  such  as  the  Myers-Briggs 
Type  Indicator,  to  help  you  figure  out  how  to  best  interact  with 
him.  Most  professionals  have  taken  these  personality  tests  at 
least  once  in  their  careers  but  don’t  understand  the  power  of  the 
tool  because  they  use  them  to  understand  themselves  rather 
than  to  understand  others. 

Once  you’re  armed  with  these  insights,  make  sure  you  aren’t 
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Business  Risk 


Technology  Risk 


Internal  Audit 


WE’VE  FIGURED  OUT 

HOW  TO 
STEAL 

MILLIONS  FROM 
FORTUNE  1000  COMPANIES. 


Of  course,  they  were 
really  asking  for  it. 

Like  the  client  that 
challenged  us  to  break  into 
their  network  and  steal  $50 
million.  The  bad  news:  We 
found  three  ways  to  do  it. 

The  good  news:  We  quietly 
and  efficiently  helped  them 
eliminate  those  vulnerabilities.  Today,  that 
company  proudly  advertises  the  safekeeping 
of  their  assets.  No  matter  what  industry 
you’re  in,  Protiviti  can  help  you  identify  and 
prioritize  your  IT  security  risks.  Address  your 


exposure  before  it  becomes 
a  problem.  And  monitor  your 
risks  going  forward.  This  can 
create  a  competitive  advantage. 
Our  security  experts  have  an 
exhaustive  knowledge  of  the 
latest  technologies  and  detection 
software,  and  can  apply  that 
knowledge  objectively  to  even 
the  most  complex  IT  environments.  So  let  us  take 
a  crack  at  your  network.  Because  if  we  can’t  steal 
millions  from  you,  it’s  a  good  bet  that  no  one  can. 

For  more  information  and  a  full  case  study,  call 
( 888)  556-7420  or  visit protiviti.com/stealmillions . 


Know  Risk.  Know  Reward.1'1 
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selfish  in  your  interactions.  You  can’t  build  relationships  if  you 
are  always  taking  and  never  giving.  One  IT  executive,  Mrs.  Cold, 
called  me  recently  and  asked  for  a  favor.  We  hadn’t  spoken  in  a 
long  time,  and  yet  the  call  began  without  the  necessary  tea  and 
cookies  (no  “How  are  you?"  or  “How  are  the  kids?”);  instead, 
she  dived  right  in  to  business.  The  interaction  was  cold  and  elic¬ 
ited  from  me  a  correspondingly  cold  response.  Consequently, 
she  didn’t  receive  the  help  she  was  looking  for.  Mrs.  Cold  deliv¬ 
ers,  and  she  manages  up  well,  but  she  doesn’t  invest  in  lateral 
or  downward  relationships.  One  day,  when  one  of  her  projects 
stumbles  and  she  turns  for  help  to  those  she  has  casually  dis¬ 
missed,  she  will  find  herself  standing  all  alone. 

One  of  the  most  powerful  concepts  in  influence  is  the  idea 
of  reciprocity,  defined  by  Robert  Cialdini,  author  of  Influence: 
Science  and  Practice,  as  people  repaying  in  kind.  Mrs.  Cold 
would  have  evoked  a  different  response  from  me  if  she  had 
maintained  regular  contact,  begun  the  exchange  by  focusing 
outwardly  instead  of  upon  her  own  needs,  or  followed  up 
with  some  type  of  repayment  (for  example,  an  introduction  to 
someone  I  wanted  to  meet,  or  a  simple  thank-you  note). 

Meet  Outside  of  Meetings 

Relationships  aren’t  built  in  conference  rooms,  through  e-mail 
or  over  the  phone.  Relationships  are  built  one-on-one,  over  cof¬ 
fee  and  lunch,  and  in  social  settings.  For  example,  consider  the 
executive  who  is  remarkable  in  his  ability  to  get  his  team  orga¬ 
nized  and  deliver  the  goods.  Mr.  Substance  should  be  the  next 
CIO  but  probably  won’t  be.  The  problem  is,  he’s  all  business  all 
the  time.  Once  you  get  to  know  him,  he’s  delightful.  Unfortu¬ 
nately,  he  doesn’t  interact  with  others  in  casual  settings. 

Another  influence  principle  of  Cialdini’s  is  that  of  liking: 
People  like  people  who  like  them.  Mr.  Substance  doesn’t  reach 
out  to  others  one-on-one  because  he  is  focused  on  what  to  say 
rather  than  on  what  to  ask.  Getting  others  to  talk— and  listen¬ 
ing  in  an  active,  as  opposed  to  a  passive  way  (in  which  you  are 
just  waiting  for  them  to  finish  so  you  can  say  your  piece)— is 
the  best  way  to  identify  common  values,  interests,  pressures 
and  goals.  Successful  questioning  doesn’t  look  like  a  courtroom 
scene  in  Law  and  Order,  with  one  person  doing  all  the  talking. 
It  looks  like  a  tennis  game:  Serve  up  the  question,  return  with 
added  spin,  pace  or  direction,  and  respond  accordingly.  It’s 
amazing  how  often  people  don’t  play  the  conversation  from 
where  it  landed  and  instead  just  pick  up  the  ball  and  move  it  to 
another  part  of  the  court  by  ignoring  their  partner’s  response 
and  changing  the  subject. 

Relationships  make  work  meaningful.  Not  only  in  the  way 
they  humanize  daily  existence,  but  in  how  they  ensure  that 
good  work  is  recognized,  rewarded  and  well  used.  It’s  through 
relationships  that  you  will  be  able  to  apply  the  tenets  of  mar¬ 
keting  (“Tell  them  what  you  are  going  to  do,  tell  them  that  you 
are  doing  it,  and  tell  them  that  you  got  it  done”)  in  a  way  that 
isn’t  viewed  as  self-serving  but  instead  serves  others. 


Reader  Q&A 

Q:  I  wonder  how  many  executives  understand  that 
sometimes  the  keys  to  the  outside  world  can  come 
from  their  vendors.  Many  times,  I  do  not  sell  services; 
I  merely  keep  in  touch.  And  if  something  arises  where 
there’s  a  fit,  I  mention  our  ability  to  help. 

A:  As  a  CIO,  I  referred  vendors  to  my  direct  reports. 
The  vendors  I  developed  relationships  with  were  those 
who  had  something  interesting  to  talk  about,  other 
than  their  product— for  example,  industry  and  com¬ 
petitive  insights. 


Q:  You  say  Mr.  Substance  should  probably  be  the  next 
CIO  because  he  delivers  the  goods  but  won’t  be  because 
he’s  all  business  all  the  time.  Since  when  has  doing  one’s 
job  well  become  a  liability? 

A:  Doing  one’s  job  is  a  necessary  but  not  sufficient  con¬ 
dition  for  success  as  revealed  by  a  study  (“Fool  vs.  Jerk: 
Whom  Would  You  Hire?”  http://hbswk.hbs.edu).  Not 
surprisingly,  most  people  choose  their  work  partners 
according  to  two  criteria.  One  is  competence  at  the  job; 
the  other  is  likability.  What  is  surprising  is  the  impor¬ 
tance  of  personal 
feelings  as  a  factor 
in  judging  compe¬ 
tence.  The  research 
found  that  people 
are  more  likely  to 
hire  the  lovable  fool 
than  the  competent  jerk.  Polishing  up  your  likability 
may  be  the  best  way  to  ensure  that  you  receive  the  rec¬ 
ognition  and  opportunities  you  deserve. 

Q:  Can  you  mention  other  personality  assessment 
tools,  other  than  Myers-Briggs,  that  we  can  use  to  bet¬ 
ter  understand  “the  guy  next  to  you”? 

A:  Another  assessment  frequently  used  within  busi¬ 
nesses  to  improve  awareness  of  self  and  others  is  the 
DISC  personality  assessment  (the  acronym  stands  for  the 
four  behavior  dimensions  identified  in  the  assessment: 
dominance,  influence,  submissiveness/steadiness  and 
compliance/consciousness),  which  is  based  on  the  work 
of  Dr.  William  Marston.  BQ 


Have  a  Leadership  Question? 


For  more  reader  QUESTIONS  and 
answers  from  SUSAN  CRAMM,  go 
online  to  www.cio.com/leadership. 

cio.com 


Susan  Cramm  is  founder  and 
president  of  Valuedance,  an  execu¬ 
tive  coaching  firm  in  San  Clemente, 
Calif.  You  can  e-mail  feedback 
to  susan@valuedance.com.  Don 
Reeve  is  CIO  at  Wegmans. 
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On  the  evening  of 

Sept.  27,  2001,  Howard  Rubin, 
a  comPuter  science  professor 
at  City  University  of  New  York 
>■  who  had  advised  the  Clinton  l 
|||i||Pp|w  administration  on  technology  J 
issues>  was  home  observing  M 
llpf||ie Yom  Kippur,  the  holiest  day  JBj 
^  on  ^ie  Hebrew  calendar.  Mjg 

Observant  Jews  don’t  work,  mmt 
||j|raPV  drive  or  use  appliances  on  M-JI 
Yom  Kippur,  but  Rubin  had 
-  *33K  a  stron8  feeling  he  should  AJglf 
J  ft  ijjgiW  pick  up  the  phone  when  it 
B|fc!r»  rang  that  night. 
gpl'B  “My  wife  didn’t  want  me 

iJtjW  to  answer  it,”  he  recalls.  M  pLc, 

But  he  did. 

On  the  other  end  of  the  7 

im  line  was  one  of  the  most  mf£.  V 

senior  members  of  the  pf * /Vk'jpi 

|3f  previous  administration. 

He  wanted  to  know  if 

W  Rubin  knew  of  any  tech-  L 

■  nologies  the  government  *«S$ 

■  could  use  to  help  catch 

■  terrorists.  y,  ‘ : 

I  Rubin’s  answer  has  '*  ^  3  JC 

[  since  become  a  tech- 
nology  mantra  among 

members  of  the  intel-  M  '  -  ”  -  j 

ligence  community;  M  \  I  w  -  ,* 

data  mining,  he  told  mt 
the  official.  -  ■  c  .  •  *?-■  ‘ 


Cover  Story 


Data  Mining 


Preventing  a 
terror  attack  is 
invaluable.  But 
even  invaluable 
IT  projects  need 
realistic  business 
case  analysis 
to  succeed. 


versus 


WhattoDoWhen  Uncle  Sam 
Wants  Your  Data 

You  may  think  that  antiterror  IT  is  just  for  the  gumshoes. 

Be  prepared  to  participate— and,  perhaps,  to  resist  the  request. 

On  the  Friday  before  Memorial  Day  in  2002,  FBI  agents  descended  on  a  chain  of 
scuba  diving  stores  across  the  country  called  Dive  Shops,  trying  to  get  data  on 
everyone  who  had  learned  howto  scuba  dive  since  1999.  In  orderto  help  out  panic- 
stricken  shop  owners,  the  Professional  Association  of  Diving  Instructors,  the  primary 
organization  that  oversees  scuba  certification,  gave  the  FBI  a  zip  drive  containing 
names  and  other  information  on  about  2  million  Americans  who  had  learned  to  dive 
over  the  previous  three  years. 

It  was  one  example  of  the  private  sector’s  role  in  the  war  on  terrorism.  The  U.S. 
government  has  over  30  data  mining  projects  that  use  private-sector  data.  And 
while  last  year  the  departments  of  Justice  and  Homeland  Security  spent  more  than 
$25  million  to  purchase  commercial  records  from  data  brokers  such  as  ChoicePoint 
and  LexisNexis,  more  often  than  not  investigators  get  the  data  they  want  directly 
from  companies,  a  tactic  publicized  by  the  recent  National  Security  Agency  proj¬ 
ect  using  telephone  records.  As  the  CIO,  you  are  in  charge  of  your  company’s  data. 
Therefore  it  is  up  to  you  to  indemnify  your  company  against  legal  liability  by  follow¬ 
ing  the  proper  procedures  when  an  investigator  wants  your  data. 

The  first  rule,  says  Behnam  Dayanim,  a  partner  with  the  law  firm  Paul,  Hastings, 
Janofsky  &  Walker,  is  to  take  every  request  to  the  corporate  counsel’s  office.  “You 
have  to  get  a  court  order,"  he  says,  or  else  you  may  be  violating  your  company’s 
privacy  policy.  Also,  it  is  important  to  make  sure  that  you  comply  with  the  request 
in  the  order  and  don’t  give  more  than  you  are  asked  for. 

Dayanim  says  that  unless  a  company  has  a  dedicated  staffer  to  deal  with  requests 
from  law  enforcement  (many  telecommunications  companies  do,  for  example), 
investigators  will  most  likely  contact  you  through  a  letter  addressed  to  a  vague  title 
like  IT  manager,  or  will  call  a  junior-level  database  administrator  directly.  It  is  your 
responsibility  to  train  your  staff  so  they  know  that  all  requests  must  go  through 
the  legal  department.  “I  think  you  have  to  hit  people  over  the  head  with  it,"  says 
Dayanim.  “Most  people’s  response  is  to  cooperate,  but  it  exposes  the  company  to 
a  tremendous  amount  of  legal  liability.  It  puts  the  company  at  risk.”  -B.W. 


Data  mining  is  a  relatively  new  field 
within  computer  science.  In  the  broadest 
sense,  it  combines  statistical  models,  power¬ 
ful  processors,  and  artificial  intelligence  to 
find  and  retrieve  valuable  information  that 
might  otherwise  remain  buried  inside  vast 
volumes  of  data.  Retailers  use  it  to  predict 
consumer  buying  patterns,  and  credit  card 
companies  use  it  to  detect  fraud.  In  the 
aftermath  of  September  11,  the  government 
concluded  that  data  mining  could  help  it 
prevent  future  terrorist  attacks. 


A  Proliferation  of 
Projects 

Experts  say  that  the  government,  and  in 
particular  the  intelligence  community, 
has  come  to  rely  heavily  on  data  min¬ 
ing.  A  2004  Government  Accountability 
Office  report  found  that  federal  agencies 
were  actively  engaged  in  or  planning  199 
data  mining  projects.  Of  these,  14  focused 
explicitly  on  catching  terrorists  and  pre¬ 
venting  attacks,  a  total  that  does  not  include 
projects  at  seven  agencies  (such  as  the  CIA 
and  the  National  Security  Agency)  that  did 
not  respond  to  the  GAO  survey.  Over  the 
past  year,  The  New  York  Times,  USA  Today 
and  other  media  outlets  have  uncovered 
top-secret  programs  within  those  agencies 
that  collect  and  look  for  patterns  in  phone 
records,  e-mail  headers  and  other  per¬ 
sonal  information  (see  “What  to  Do  When 
Uncle  Sam  Wants  Your  Data,”  this  page). 

When  these  programs  were  made  public, 
the  president  and  other  members  of  his 
administration  defended  them  as  critical 
to  the  war  on  terrorism. 

Given  the  administration’s  commitment  to  programs  using 
these  data  mining  tools  and  the  pressure  on  everyone  to  pre¬ 
vent  another  attack,  it  comes  as  no  surprise  that  these  projects 
are  being  approved  by  agency  heads  almost  as  fast  as  they  are 
being  conceived,  experts  say.  “There  is  a  real  fear  of  not  going 
down  this  path,  because  if  there  is  value  you  don’t  want  to  be 
on  the  side  that  opposed  [a  data  mining  project],”  says  Robert 
Popp,  who  was  deputy  director  of  the  Information  Awareness 
Office  at  the  Defense  Advanced  Research  Projects  Agency.  Of 
course,  government  officials  also  have  a  straightforward  rea¬ 
son  for  pursuing  data  mining  projects,  says  Robert  Gourley, 
CTO  of  the  Defense  Intelligence  Agency:  “We  want  to  protect 
our  country  and  our  way  of  life.” 


No  Scope,  No  Budget,  No  End 

But  some  experts  are  beginning  to  question  whether  an  IT 
strategy  of  unlimited  scope,  budget  and  schedule  will  best 
serve  that  end.  It’s  a  conundrum  CIOs  face  every  day.  IT 
projects,  no  matter  how  vital,  tend  to  fail  when  controls  don’t 
exist  or  those  controls  fall  away  in  the  face  of  a  time  crunch  or 
crisis.  Lack  of  oversight  is  the  chief  cause  of  project  failures, 
according  to  the  Standish  Group,  an  analyst  firm  that  tracks 
IT  success  rates.  It  leads  to  overly  ambitious  projects,  an 
unwillingness  to  change  the  original  vision  and  inattention 
to  signs  that  something  isn’t  working.  “It  doesn’t  matter  if  it  is 
a  supply  chain  project,  an  ERP  system  or  data  mining— those 
things  need  to  be  considered,”  says  Jim  Johnson,  the  Standish 
Group’s  chairman. 
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“No  one  [in  the  government]  has  looked  at  data  mining  from 
an  IT  value  perspective,”  says  Steve  Cooper,  former  CIO  of  the 
Department  of  Homeland  Security.  “I  couldn’t  figure  out  [the 
value  of  data  mining]  when  I  was  in  DHS,  and  I  can’t  figure  it 
out  now.  But  that  didn’t  stop  us  from  using  it.” 

In  other  words,  according  to  Cooper,  no  one  has  done  a 
business  case  analysis  to  determine  whether  the  government 
is  getting  a  return  on  its  investment.  Instead,  a  rationalization 
is  usually  sufficient:  If  a  project  has  a  chance  to  catch  just  one 
terrorist,  then  it  is  worth  it. 

Given  that  the  government’s  track  record  on  IT  project 
management  is  particularly  poor  (see  “Federal  IT  Flunks 
Out,”  www.cio.com/05lS06 ),  a  lack  of  typical  IT  project  analy¬ 
sis,  prioritization  and  management  controls  could  backfire. 
Badly.  Experts  worry  that  projects  could  drag  on  for  years 
and  that  good  projects  could  be  thrown  out  with  the  bad 
because  of  privacy  and  civil  liberties  issues.  (In  fact,  Congress 
has  already  halted  a  number  of  data  mining  projects,  includ¬ 
ing  the  Department  of  Defense’s  Total  Information  Aware¬ 
ness  project,  an  ambitious  2003  attempt  to  create  a  massive 


database  containing  just  about  everything  and  anything  that 
could  be  used  to  identify  possible  terrorists.  See  “Poindexter 
Comes  in  from  the  Cold,”  www.cio. com/080104.) 

Experts  are  also  concerned  that  in  its  zeal  to  apply  tech¬ 
nology  to  antiterrorism,  the  government  could  disrupt  the 
crime-fighting  processes  of  the  agencies  that  are  charged  with 
finding  and  stopping  terrorists  before  they  act.  As  any  good 
CIO  knows,  if  users  see  a  system  as  an  obstacle  to  getting  their 
jobs  done  effectively,  they  will  rebel  or  simply  ignore  it— in 
this  case,  with  potentially  disastrous  consequences. 

Among  data  mining  experts,  there  is  a  growing  sense  that 
the  government  needs  to  apply  the  same  kind  of  analysis  to  its 
antiterrorism  IT  strategy  that  CIOs  in  the  private  sector  use  to 
keep  their  projects  from  spinning  out  of  control.  “These  proj¬ 
ects  have  perfectly  reasonable  goals,”  says  Fred  Cate,  direc¬ 
tor  of  the  Center  for  Applied  Cybersecurity  Research  at  the 
University  of  Indiana.  (Cate  was  counsel  for  the  Technology 
and  Privacy  Advisory  Committee  created  in  2003  by  Donald 
Rumsfeld  to  study  his  agency’s  use  of  data  mining.)  “But  there’s 
no  oversight  procedure,”  he  says. 


attacks.  The  CIA 


www.cio.com  |  AUGUST  1,  2006  37 


Data  Mining:  The  State  of  the  Art 

The  government’s  data  mining  projects  fall  into  two  broad 
categories:  subject-based  systems  that  retrieve  data  that  could 
help  an  analyst  follow  a  lead,  and  pattern-based  systems  that 
look  for  suspicious  behaviors  across  a  spread  of  activities. 
Most  data  mining  experts  consider  the  former  a  version  of 
traditional  police  work— chasing  down  leads— but  instead  of 
a  police  officer  examining  a  list  of  phone  numbers  a  suspect 
calls,  a  computer  does  it. 

One  subject-based  data 
mining  technique  gaining 
traction  among  government 
practitioners  and  academics 
is  called  link  analysis.  Link 
analysis  uses  data  to  make 
connections  between  seem¬ 
ingly  unconnected  people  or 
events.  If  you  know  someone 
is  a  terrorist,  you  can  use  link 
analysis  software  to  uncover 
other  people  with  whom  the 
suspect  may  be  interacting. 

For  example,  a  suspicious 
link  could  be  a  spike  in  the 
number  of  e-mail  exchanges 
between  two  parties  (one  of 
which  is  a  suspect),  checks 
written  by  different  people 
to  the  same  third  party,  or 
plane  tickets  bought  to  the 
same  destination  on  the  same  departing  date.  Many  experts 
believe  that  the  NSA  project  analyzing  millions  of  domestic 
phone  records  is  this  kind  of  link  analysis  system. 

Finding  the  Hidden  Linkages 

However,  link  analysis  projects  are  useful  only  if  they  have 
a  narrow  scope,  says  Valdis  Krebs,  an  IT  consultant  who 
famously  developed  a  map  showing  the  connections  among  the 
9/11  hijackers— after  the  fact.  Successful  link  analysis  requires 
a  reliable  starting  point— a  known  terrorist,  for  example,  or 
a  phone  number  associated  with  one.  Link  analysis  becomes 
less  effective  when  it’s  used  in  an  attempt  to  spot  anomalous 
behavior.  “If  you’re  just  looking  at  the  ocean,  you’ll  find  a  lot 
of  fish  that  look  different,”  says  Krebs.  “Are  they  terrorists  or 
just  some  species  you  don’t  know  about?”  If  the  government 
searched  for  only  the  activities  mentioned  above— e-mails, 
checks  and  plane  tickets— without  the  added  insight  that  one 
of  the  network’s  members  was  a  terrorist,  investigators  would 
be  more  likely  to  uncover  a  high  school  reunion  than  a  terrorist 
plot,  says  Krebs.  If  the  government  casts  the  net  too  wide,  he 
adds,  the  projects  could  cost  more,  take  longer  and  raise  the  risk 
of  “false  positives,”  such  as  the  high  school  reunion  example. 


One  example  of  the  government  applying  a  more  realistic 
scope  to  a  data  mining  project  is  a  system  the  DoD  is  currently 
testing  that  sifts  through  the  data  the  agency  has  on  everyone 
with  a  security  clearance,  looking  for  patterns  that  could  iden¬ 
tify  spies.  These  patterns  might  include  purchases  that  are  out 
of  line  with  someone’s  pay  grade,  unreported  foreign  travel  or 
e-mail  exchanges  with  a  person  known  to  work  for  a  foreign 
government,  says  a  counterintelligence  official  involved  with 

the  project  who  requested 
anonymity.  The  parameters 
for  these  searches  are  devel¬ 
oped  by  counterintelligence 
officers,  based  on  their  expe¬ 
rience  of  what  suspicious 
activity  looks  like.  As  the 
technology  improves,  the 
DoD  hopes  to  rely  on  arti¬ 
ficial  intelligence  to  decide 
which  patterns  warrant 
attention  and  which  do  not. 

However,  even  systems 
that  have  more  limited 
scope,  such  as  the  DoD’s 
security  clearance  system, 
are  sending  out  mixed  sig¬ 
nals.  “Right  now,  it’s  infor¬ 
mation  overload,”  says  the 
counterintelligence  official. 
“With  the  rules  we  have 
now,  we  would  have  a  ton  of 
false  positives.”  His  goal  is  to  refine  the  system  and  eventually 
show  that  the  concept  works.  This,  he  hopes,  will  encourage 
people  to  share  more  data. 

His  project  isn’t  yet  a  success,  nor  has  it  been  deemed  a 
failure.  He  doesn’t  anticipate  getting  usable  results  for  three 
or  four  years.  The  factors  that  will  determine  its  future  are 
the  same  as  with  any  IT  project:  how  well  the  technology  per¬ 
forms,  the  problems  the  DoD  uses  the  system  to  solve  and 
what  it  does  with  the  results  it  gets. 

Projects  Get  the  Ax 

If  antiterrorism  data  mining  is  going  to  improve,  the  business 
rules  aren’t  the  only  aspect  that  needs  to  change.  After  all,  a 
system  is  nothing  without  good  data.  Sometimes  law  enforce¬ 
ment  has  a  detailed  profile  of  a  terrorist  suspect.  But  in  other 
cases  all  they  have  is  a  name.  “Names  alone  are  not  a  helpful 
way  to  match  people,”  says  Jeff  Jonas,  data  mining’s  acknowl¬ 
edged  superstar,  who  made  his  name  protecting  Las  Vegas 
casinos  from  cheats.  Jonas,  for  example,  shares  his  name  with 
at  least  30  other  Americans.  This  is  one  of  the  reasons  why 
Yusuf  Islam  (a.k.a.  folk  singer  Cat  Stevens)  was  detained  in  a 
Maine  airport  in  2004. 


"Five  years  after  9/11,  we 

still  don’t  have  an  automated 
system  for  matching 
passenger  names  with 
names  on  theterror  watch 
list.  Civil  liberties  had 
nothingto  do  with  that.” 

-Jim  Dempsey  policy  director  of  the  Center  for 
Democracy  and  Technology 
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After  9/11  the  government  began  replacing  the  Computer 
Assisted  Passenger  Pre-Screening  (Capps)  system— which 
only  tracked  passenger  data  collected  from  the  airlines  (names, 
credit  card  numbers,  addresses)— with  Capps  II,  which  would 
add  information  culled  from  data  brokers  such  as  ChoicePoint 
and  LexisNexis.  Capps  II  first  gained  notoriety  in  2003,  when 
reports  surfaced  that  Northwest  Airlines  and  JetBlue  gave  pas¬ 
senger  records  to  the  Transportation  Security  Administration 
so  it  could  test  the  new  system.  Critics  asked  about  privacy 
safeguards,  which  were  virtually  nonexistent  according  to 
public  records,  and  in  response  to  the  outcry  Congress  with¬ 
held  funds  for  Capps  II  until  the  GAO  completed  a  study  on 
how  exactly  the  TSA  intended  to  protect  privacy. 

In  August  2004,  the  TSA  pulled  the  plug  on  its  $100  mil¬ 
lion- plus  investment  in  Capps  II  in  favor  of  a  new  system  called 
Secure  Flight.  Secure  Flight  and  its  predecessor  share  many 
characteristics,  most  notably  combining  passenger  records 
with  data  purchased  from  commercial  databases.  (Accord¬ 
ing  to  a  recent,  government  audit,  DHS  and  the  Department  of 
Justice  spent  more  than  $25  million  in  2005  buying  data  for 
fighting  crime  and  preventing  terrorism.) 

In  September  2005,  the  Secure  Flight  Working  Group, 
a  collection  of  data  mining  and  privacy 
experts  who  the  TSA  asked  to  review  the 
project,  completed  a  nine-month  analy¬ 
sis  and  filed  a  confidential  report  that 
was  highly  critical  of  the  system.  Within 
a  week,  the  report  was  on  the  Internet.  It 
read,  “First  and  foremost,  TSA  has  not 
articulated  what  the  specific  goals  of  Secure 
Flight  are.”  It  went  on  to  say,  “Based  on  the 


limited  test  results  presented  to  us,  we  cannot  assess  whether 
even  the  general  goal  of  evaluating  passengers  for  the  risk 
they  represent  to  aviation  security  is  a  realistic  or  feasible  one 
or  how  TSA  proposes  to  achieve  it.” 

Bruce  Schneier,  a  security  expert  who  was  a  member  of  the 
working  group,  sees  Capps  II  and  Secure  Flight  as  primary  exam¬ 
ples  of  how  the  lack  of  proper  scope  has  damaged  antiterror  IT 
efforts.  Even  if  you  managed  to  design  a  data  mining  system  that 
could  comb  through  phone  records  or  credit  card  transaction 
and  spot  terrorists  with  a  99  percent  success  rate,  it  still  would 
not  be  a  good  use  of  investigative  resources,  argues  Schneier. 
For  example,  if  the  approximately  300  million  Americans  make 
just  10  phone  calls,  purchases  or  other  quantifiable  events  per 
day,  that  would  produce  1  trillion  pieces  of  data  a  year  for  the 
government  to  mine.  Even  99  percent  accuracy  would  produce 
a  billion  false  positives  a  year,  or  about  27  million  a  day.  And 
99  percent  accuracy  would  still  mean  missing  some  transactions 
that  might  actually  be  terrorists.  And  no  one  wants  to  consider 
the  price  of  missing  another  attack.  That’s  why  Schneier  wasn’t 
surprised  when  he  read  a  January  article  in  The  New  York  Times 
reporting  that  hundreds  of  FBI  agents  were  looking  into  thou¬ 
sands  of  data  mining-generated  leads  every  month,  almost  all 
of  which  turned  out  to  be  dead  ends.  “It’s  a 
waste  of  money,”  he  says.  “[Data  mining]  is 
a  lousy  way  to  fight  terrorism.” 

By  contrast,  says  Schneier,  data  mining 
has  worked  to  prevent  credit  card  fraud 
because  con  artists  act  in  predictable  ways 
and  operators  of  credit  card  data  mining 
systems  have  drawn  a  clear  ROI  line  for  an 
acceptable  level  of  false  negatives  and  posi- 


The  Big  Picture  of  Antiterror  IT 
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As  far  as  the  oversight  process, 

it  is  clearthat  antiterrorism  data 
mining  is  a  disaster.” 


-Fred  Cate,  director  of  the  Center  for  Applied 
Cybersecurity  Research,  University  of  Indiana 


tives,  and  adjusted  the  system’s  settings  accord¬ 
ingly.  For  example,  most  credit  card  issuers  are 
willing  to  accept  losses  of  several  thousand  dol¬ 
lars  to  prevent  alarm  bells  from  ringing  every 
time  a  customer  goes  through  a  checkout  line. 

If  false  positives  are  infrequent,  customers  don’t 
mind  the  occasional  disruptions;  indeed,  they 
may  even  view  it  as  a  positive  sign  that  the  card 
issuer  is  working  hard  to  protect  them.  With 
system  sensitivity  correctly  calibrated,  a  hand¬ 
ful  of  thieves  may  get  away  with  fraud,  but  the 
system  as  a  whole  isn’t  compromised. 

Capps  II  and  Secure  Flight  had  no  such 
ROI  mechanisms.  But  rather  than  reexam¬ 
ine  the  goals  and  scope  of  the  projects,  the  government  sim¬ 
ply  expanded  them  to  include  profiling,  a  hunt  for  common 
criminals  and  more.  And  as  happens  so  often  with  IT  proj¬ 
ects  when  their  goals  are  too  broadly  defined,  the  system  is 
still  not  active  despite  an  originally  planned  go-live  date  of 
November  2003. 

“TSA  was  never  willing  to  reevaluate  the  scope  of  the 
project,”  says  Jim  Dempsey,  policy  director  of  the  Center 
for  Democracy  and  Technology,  who  was  part  of  the  TSA’s 
Secure  Flight  Working  Group  with  Schneier.  “So  now,  five 
years  after  9/11,  we  still  don’t  have  an  automated  system  for 
matching  passenger  names  with  names  on  the  terror  watch 
list.  Civil  liberties  had  nothing  to  do  with  that.” 

The  Antiterror  IT  Business  Case 

Despite  prominent  failures  like  Capps  II,  there  is  still  a  general 
feeling  among  data  mining  experts  and  even  privacy  advocates 
that  data  mining  can  be  an  effective  tool  against  terrorism.  And 
because  the  technology  is  so  new,  it  stands  to  become  even  more 
helpful  with  time— if  it  is  managed  properly.  “This  is  an  evolu¬ 
tionary  project,”  says  Rubin.  “And  it  is  being  fueled  by  events. 
When  that  happens  you  get  there  eventually.  You  figure  out  how 
to  get  the  man  on  the  moon.” 

Indeed,  CIO  has  learned  of  one  example  of  an  antiterrorism 
data  mining  project  that  has  worked— a  link  analysis  system 
that  helped  investigators  at  Guantanamo  Bay  figure  out  which 
detainees  were  likely  to  be  terrorists.  In  2002  and  2003,  the 
Criminal  Investigative  Task  Force  (CITF),  a  branch  of  Army 
Intelligence,  was  assigned  to  interrogate  detainees  at  Guanta¬ 
namo  and  determine  who  was  a  terrorist  and  who  was  simply 
in  the  wrong  place  at  the  wrong  time. 

In  this  instance,  CITF  had  reliable  data  about  the  detain¬ 
ees,  including  where  they  were  captured,  who  they  associated 
with  at  Guantanamo  and  other  details  about  their  behaviors 
and  relationships.  Investigators  used  a  commercially  avail¬ 
able  tool  from  software  vendor  12  to  construct  a  chart  of  all  the 
detainees,  including  every  known  attribute  about  a  detainee 
and  his  links  to  other  suspects.  This  information  was  then  fed 


into  a  University  of  Massachusetts-developed  system  called 
Proximity  to  examine  these  attributes  and  links,  compare 
them  with  the  profiles  CITF  had  on  known  terrorists  and 
known  innocents,  and  calculate  the  probability  that  a  given 
detainee  was  a  terrorist. 

A  Need  for  More  Oversight 

The  Guantanamo  system  had  a  limited  scope,  a  reliable  start¬ 
ing  point  culled  from  human  investigations,  and  a  fair  shot  at 
reducing  the  number  of  false  positives  and  negatives.  In  other 
words,  the  technology  was  carefully  applied,  and  the  result  was 
a  system  that  solved  a  real  problem,  says  Popp. 

But  this  is  the  exception.  Most  data  mining  projects  are  not 
subjected  to  a  rigorous  business  case  analysis.  Two  current 
intelligence  CIOs  who  were  otherwise  unable  to  comment 
for  this  story  agreed  that  this  is  an  issue  that  they  struggle 
with.  The  DoD’s  Technology  and  Privacy  Advisory  Commit¬ 
tee  (TAPAC)  developed  a  10-point  system  of  checks  and  bal¬ 
ances  that  it  recommended  every  agency  head  apply  to  data 
mining  projects,  but  Cate  says  that  it  has  never  been  imple¬ 
mented.  Similarly,  the  National  Academy  of  Sciences  recently 
appointed  a  committee  to  develop  a  methodology  that  the 
government  can  use  to  evaluate  the  efficacy  of  its  antiterror 
data  mining  projects,  but  the  target  date  for  its  report  is  still 
more  than  a  year  away. 

What’s  left  is  the  status  quo.  That’s  troubling  to  people  like 
Cate.  “There  are  some  extraordinarily  smart  people  [work¬ 
ing  on  data  mining  systems],  and  I  would  be  hard  pressed 
to  think  that  they  are  wasting  their  lives  on  something  that 
doesn’t  work,”  he  says.  “But  one  of  the  things  [TAPAC]  kept 
focusing  on  was  that  you  have  to  be  able  to  show  that  it  works 
within  acceptable  parameters,”  a  responsibility  that  he  says 
rests  with  agency  heads. 

Agency  heads  aren’t  accepting  that  responsibility,  says  Cate. 
“As  far  as  the  oversight  process  is  concerned,  it  is  clear  that  [data 
mining  to  prevent  terrorism]  is  a  disaster.”  K3H 


Senior  Writer  Ben  Worthen  can  be  reached  at  bworthen@cio.com. 
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_7 : 55  a.m. :  Came  in  this  morning  and  found  an  office 
out  of  control.  No  one  can  collaborate.  No  one  can 
get  real-time  answers.  Web  conferencing  services  are 
driving  costs  through  the  roof.  And  unmanaged  public 
IM  is  a  security  nightmare. 

„8:02  a.m.:  Gil  brought  in  a  “collaboration  accelerator.” 
I  said  it  looked  more  like  a  cannon.  He  said  I  had  a 
small  mind. 
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_10:45  a.m.:  Went  upstairs  and  found  everything  frozen, 
literally.  It’s  our  processes.  They’re  inflexible. 

Hard  coded  so  we  can’t  change  them  or  even  respond  to 
change.  Why  did  we  lock  ourselves  in  like  this?  Brrr. 

_I  don’t  have  the  patience  or  the  budget  to  fix  it. 
This  is  crazy.  I  got  freezer  burn  from  my  keyboard. 
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_1:30  p.m.:  Came  back  from  lunch  and  realized  our 
network’s  so  complex,  it’s  impossible  to  manage.  The 
bottlenecks  and  hotspots  are  out  of  control.  We’re  not 
proactive  at  all;  we’re  just  reacting.  We  need  help. 

_1:45  p.m.:  Gil  bought  a  crystal  ball  at  a  flea 
market.  Says  he  can  now  peer  into  the  future  of  our 
infrastructure.  Can  this  day  get  any  worse? 


_3:59  p.m.:  It  got  worse.  Our  information  is  out  of  control. 
It’s  totally  unmanageable.  It’s  siloed.  People  can’t 
access  the  latest  info  to  make  decisions.  Gil’s  resorted 
to  giving  every  database  to  everyone  all  at  once. 


_4:3 7  p.m.:  Monitors  now  outnumber  humans  18  to  1. 
The  eyestrain  is  so  bad  we  had  to  hire  an  in¬ 
ophthalmologist. 
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_5:30  p.m.:  This  day  has  gone  from  bad  to  scary  bad.  Now 
the  business  is,  uh,  coming  apart.  I.T.  isn’t  in  sync 
with  the  suits.  No  one’s  sure  what  they  need  to  do.  It’s 
totally  out  of  control. 

_5:45  p.m.:  Gil  fell  into  the  crack.  Maintenance  needed 
a  GPS  device  and  a  hundred  feet  of  rope  to  rescue  him. 


_6:02  p.m.:  The  day  is  looking  up  thanks  to  me,  Ned. 
Ned,  who  took  back  control  with  IBM  middleware. 


Control  sluggish  collaboration  with  IBM  Lotus0 
Sametime ®  7.5.  It's  not  just  IM  and  Web  conferencing. 
It’s  a  platform  for  running  your  business  in  real  time. 

It’s  encrypted.  It’s  packed  with  features  like  spell  check, 
VoIP  and  location  awareness.  And  it  even  works 
seamlessly  with  leading  public  IM  networks.  Now 
everyone  in  your  business  has  real-time  answers. 


TAKE  BACK  CONTROL  WITH  THE  ENTIRE  PORTFOLIO  OF  IBM  MIDDLEWARE. 

WebSphere  Tivoli  Information  Management  Rational 


IBM.COM/TAKEBACKCONTROL/MIDDLEWARE 


Control  frozen  processes  with  IBM  WebSphere 
middleware.  It  lets  you  streamline  tasks  and  optimize 
performance.  Simulate  and  test  processes  before  you 
roll  them  out  so  you  can  understand  the  real  impact  they’ll 
have.  Measure  and  monitor  pedormance  once  those 
processes  are  deployed.  And  it’s  built  on  a  service  oriented 
architecture  so  it’s  flexible  and  future-ready. 

Control  perplexing  infrastructure  problems 

with  IBM  Tivoli  middleware.  It  gives  you  a  holistic  view 
of  your  entire  infrastructure  so  you  can  analyze  the 
relationships  between  apps,  systems  and  networks. 

It’s  built  on  open  standards  and  is  modular.  It  scales  to 
your  needs.  It  isolates  and  fixes  problems  proactively 
for  more  uptime  and  more  storage  availability. 

Control  information  siloes  with  an  IBM  Information 
On  Demand  middleware  solution.  It  liberates  your  siloed  mmm 

information  so  you  can  access  anything,  no  matter 
where  it  is  or  what  its  format.  Your  information  will  be 
accurate  and  in  context.  It’s  based  on  open  standards 
and  it  suppods  an  SOA.  And  it  gives  your  people  all  the 
information  they  need  to  make  smarter  decisions. 

Control  out-of-sync  software  development  with 
IBM  Rational  middleware.  It  helps  manage  your  offices  ’ 
development  teams  and  ensures  that  your  software  is 
in  compliance.  It  can  even  implement  a  service  oriented 
architecture.  With  Rational,  everyone  knows  their  job 
and  everyone  works  together.  The  development  process 
is  governed  and  aligned  with  your  business  goals. 
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Knowledge  at  Your  Fingertips 

on  ClO.com’s  White  Paper  Library 

VisittheCIO.com  WhitePaper  Library  for  case  studies 
and  educational  tools,  searchable  by  IT  categories. 
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Gale  GFS  managing  director 
Kenneth McCrae:  ‘My 

immediate  thought  was, 
how  lucky  have  I  been?  Then 
I  knew  I  had  to  check  on 
the  safety  of  colleagues  in 
London.” 


Crisis  Management 


except  buses 
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A  little  more  than  a  year 
ago,  terrorist  bombs 
ripped  through  London, 
killing  people,  disrupt¬ 
ing  communications  and 
shutting  down  the  city. 
Here’s  how  one  global 
company  quickly 
connected  with  its 
employees  and  kept 
the  business  running. 

BY  SUSANNAH  PATTON 


On  the  morning  of  July  7,  2005,  Ken¬ 
neth  McCrae  left  his  hotel  in  central 
London  and  headed  for  Baker  Street 
Underground  station.  It  was  a  warm 
day  and  he  remembers  looking  longingly  across 
the  street  at  the  green  grass  and  trees  in  Regent’s 
Park  before  heading  down  to  catch  his  train. 

McCrae  boarded  at  8:42  a.m.  along  with  the  millions  who  jam 
the  city’s  famous  subway  system  each  day.  On  a  whim,  he  decided 
to  take  the  Metropolitan  line  instead  of  the  Circle  line.  It  turned  out 
to  be  a  good  choice. 

At  8:50,  a  series  of  powerful  bombs  exploded  underground, 
and  one  of  those  seriously  damaged  a 
train  on  the  Circle  line,  just  two  trains 
ahead  of  McCrae.  Above  ground, 
another  blast  would  rip  apart  a  bus  in 
Tavistock  Square  nearly  an  hour  later. 

Meanwhile,  McCrae  and  his  fellow 
passengers  sat  in  the  dark,  silently, 
for  20  minutes.  It  wasn’t  until  they  left 
the  train,  filed  down  the  dark  tracks 


Reader  ROI 

::  The  primacy  of  tracking 
employees  in  a  crisis 

::  How  storing  data  about 
past  incidents  can  gen¬ 
erate  best  practices 

::  The  importance  of  hav¬ 
ing  multiple  channels 
of  communication 


PHOTO  LEFT  BY  DAVID  LEVENSON:  RIGHT  BY  REUTERS 


www.cio.com  |  AUGUST  1,  2006  43 


Crisis  Management 


and  walked  up  the  stairs  into  the  daylight 
at  King’s  Cross  station  that  they  realized 
something  very,  very  bad  had  happened. 

The  terrorist  bombings  in  London 
that  day  killed  56  people,  wounded  700, 
crippled  lines  of  communication  and 
effectively  shut  down  one  of  the  world’s 
largest  cities.  As  sirens  blared,  McCrae, 
managing  director  of  real  estate  manage¬ 
ment  company  Gale  Global  Facilities  UK, 
a  division  of  Gale  Global  Facility  Services, 
pulled  out  his  BlackBerry  and  called  his 
boss  in  New  Jersey. 

“My  immediate  thought  was,  ‘how 
lucky  have  I  been?”’  says  McCrae,  who 
splits  his  time  between  his  home  in  Scot¬ 
land  and  a  hotel  in  London.  “Then  I  knew 
I  had  to  get  in  touch  with  the  home  office.  I 


had  to  somehow  check  on  the  safety  of  col¬ 
leagues  in  London.” 

Even  though  much  of  the  area’s  phone 
and  cellular  networks  were  quickly  over¬ 
whelmed,  McCrae  was  able  to  reach  New 
Jersey  as  well  as  a  colleague  in  Toulouse, 
France,  who  went  immediately  to  the 
company’s  intranet  site  to  open  an  “inci¬ 
dent  report,”  which  would  soon  chronicle 
the  day’s  events  and  help  account  for  the 
location  and  safety  of  Gale  GFS  employ¬ 
ees  in  the  London  region.  McCrae  used 
his  BlackBerry  to  communicate  with  his 
colleagues  in  London,  around  Europe  and 
in  the  United  States.  Within  90  minutes, 
Gale  was  able  to  account  for  all  of  its  80 
London-based  employees.  The  company’s 
Incident  Reporting  System,  or  IRS,  which 


sends  out  e-mail  alerts  to  the  cell  phones, 
BlackBerrys,  pagers  and  laptops  of  those 
concerned  and  also  informs  employees 
via  a  sort  of  Web  chat  room  on  their  home- 
built  company  portal,  helped  spread  the 
news  of  the  unfolding  crisis.  And  because 
of  it,  Gale  GFS  never  stopped  operating. 

McCrae’s  experience— and  the  com¬ 
pany’s  ability  to  communicate  broadly 
through  a  variety  of  channels— shows 
how  companies  hit  by  disaster  can  effec¬ 
tively  track  employees  using  simple  Web 
and  mobile  technologies.  During  the  Lon¬ 
don  bombings,  many  companies  suffered 
from  a  total  information  blackout  because 
most  communications  lines  were  blocked. 
Gale  GFS,  however,  was  able  to  find  its 
employees,  make  sure  its  properties  were 
safe  and  send  alerts  to  those  in  charge 
within  a  short  period  of  time.  This  kind 
of  system,  which  relies  on  cell  phones, 
e-mails,  BlackBerrys  and  pagers  to  com¬ 
municate,  is  simple  but,  unaccountably 
and  unfortunately,  rare.  Many  companies 
simply  don’t  have  systems  in  place  to  keep 
track  of  and  communicate  with  employees 
during  and  just  after  a  crisis,  experts  say. 

“It’s  not  just  putting  out  fires;  it’s  about 
staying  in  business,  and  one  of  the  essen¬ 
tial  steps  is  tracking  employees,”  says 
Jack  Harrald,  director  of  the  Institute  for 
Crisis,  Disaster  and  Risk  Management  at 
George  Washington  University.  “Technol¬ 
ogy  can  help  you  do  this.” 

The  Limits  of  E-Mail 

Gale  GFS’s  crisis  management  system 
was  born  out  of  the  company’s  desire 
to  better  communicate  with  its  employ¬ 
ees  on  a  day-to-day  basis.  The  company 
started  to  build  its  Incident  Reporting 
System  in  2003  when  its  largest  client, 
AT&T,  asked  for  help.  The  telecom  giant 
was  looking  for  a  way  to  let  employees 
know,  in  real-time,  what  was  happen¬ 
ing  when  there  was  a  major  incident— a 
hurricane  or  power  outage— at  one  of  its 
locations.  “They  wanted  to  be  able  to  let 
everyone  know  what  was  happening  even 
as  the  situation  was  changing  every  few 
minutes,”  says  Chris  Messineo,  assistant 
VP  for  IT  at  Gale  GFS  (a  unit  of  the  Gale 
Company),  which  manages  and  oversees 
properties  around  the  world  for  clients 


4  Great  Moments 
in  Crisis  Management 


1.  Mitigation  According  to  the  Book 
of  Genesis,  God  decided  to  flood 
the  Earth  to  punish  humankind  for 
its  bad  behavior.  To  mitigate  the 
disaster,  God  told  Noah  to  build  an 
ark,  instructing  him  to  take  along  his 
wife  and  family,  as  well  as  one  pair  of 
every  living  creature.  When  the  heav¬ 
ens  opened  and  rain  poured  down 
for  40  days  and  40  nights,  the  ark 
floated  and  the  world  was  preserved. 

2.  Negotiation  In  1962  President 
John  F.  Kennedy  prevented  the 
arming  of  Soviet  nuclear  missiles  in 
Cuba  after  a  tense  13-day  confron¬ 
tation  between  the  two  superpow¬ 
ers.  After  reconnaissance  photos 
showed  Soviet  missiles  on  the 
island,  Kennedy  ordered  a  naval 
blockade  to  prevent  Soviet  supply 
ships  from  approaching.  Thirteen 
days  later,  Soviet  General  Secretary 
Nikita  Khrushchev  announced  that  the 
installations  would  be  dismantled. 
This  Cold  War  brinkmanship  was 
mitigated  by  back-channel  negotia¬ 
tions  between  the  two  nations.  It  was 
later  revealed  that  in  return  for  the 


Soviets  removing  their  missiles,  the 
United  States  had  agreed  to  dis¬ 
mantle  its  own  bases  in  Turkey. 

3.  Communication  Severe  Acute 
Respiratory  Syndrome  (Sars)  first 
appeared  in  the  Guangdong  province 
of  China  in  November  of  2002.  The 
virus  then  traveled  to  30  countries 
around  the  world  in  2003  after  news 
of  the  outbreak  was  initially  sup¬ 
pressed  by  the  Chinese  government. 
The  virus  was  successfully  contained 
after  the  World  Health  Organization 
(WHO)  sent  out  worldwide  alerts.  Dr. 
Carlo  Urbani,  WHO  expert  on  com¬ 
municable  diseases,  was  the  first  to 
identify  Sars,  and  his  swift  actions 
led  to  global  awareness.  He  died  of 
Sars  on  March  29, 2003. 

4.  Preparation  After  the  Federal 

Emergency  Management  Agency’s 
September  2005  response  to  Hur¬ 
ricane  Katrina  proved  disorganized 
and  ineffective,  Wal-Mart,  thanks  to 
its  robust  supply  chain  and  logistics 
expertise,  was  able  to  quickly  truck 
in  much-needed  supplies  to  flooded 
New  Orleans.  -S.P. 
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including  AT&T,  GlaxoSmithKline,  IBM 
and  Toys  “R”  Us. 

Messineo,  working  with  Gale  GFS 
president  and  CIO  Ian  Marlow,  decided 
they  needed  to  create  an  alternative  to 
e-mail,  which  can  be  an  inefficient  way  to 
find  employees  during  a  crisis  because  it 
can  create  a  tangle  of  messages  that  cross 
each  other.  The  two  had  initially  designed 
the  company  portal  in  2002  in  an  effort 
to  share  information  inside  the  company, 
and  had  more  recently  added  functions 
such  as  file-sharing  to  allow  vendors  and 
clients  to  use  it  as  well.  Messineo  stresses 
that  the  system,  built  using  Microsoft’s 
ASP.net  and  SQL  Server,  was  designed  for 
simplicity.  “In  fact,  its  power  is  in  its  sim¬ 
plicity,”  he  says,  noting  that— so  far— it  has 
never  locked  up  or  crashed  and  that  all  of 
the  code  used  to  run  it  can  fit  on  a  single 
floppy  disk.  The  system  had  to  be  robust 
and  easy  to  use,  even  for  employees  con¬ 
necting  from  dial-up  modems  in  airports. 
And  unlike  more  complex  Web  conferenc¬ 
ing  systems,  employees  access  it  directly 
from  any  Web  browser  and  don’t  need  to 
download  software  to  do  so.  Messineo  says 
his  team  was  successful  because  they  kept 


the  application  simple.  And  while  AT&T 
was  the  first  to  request  such  a  system  for 
its  property  managers,  all  of  Gale  GFS’s 
clients  can  now  use  the  IRS. 

Recent  disasters  have  shown  that  com¬ 
panies  focused  on  the  process  of  finding 
their  employees  after  a  disaster  are  more 
resilient  than  those  intent  only  on  keeping 
their  systems  running,  says  Yossi  Sheffi, 
director  of  MIT’s  Center  for  Logistics  and 
Transportation  and  author  of  The  Resil¬ 
ient  Enterprise.  After  Hurricane  Katrina, 
for  example,  Sheffi  notes  that  Wal-Mart’s 
first  order  of  business  was  to  account  for 
all  employees.  Only  then  did  it  reopen  its 
affected  stores.  “The  first  thing  [in  a  crisis 
management  strategy]  would  be  to  instill 
in  your  employees  the  importance  of  get¬ 
ting  in  touch  after  a  disaster,”  says  Sheffi. 

Keep  ItSimpleand  Flexible 

Gale  GFS  employees  agree  that  policies 
urging  employees  to  keep  in  touch  with 
each  other  are  as  important  in  a  crisis  as 
the  technology  itself.  Adding  the  Incident 
Reporting  System— which  operates  as  a 
sort  of  business  blog— to  Gale  GFS’s  portal 
site  was  not  complicated,  Messineo  says. 


Essentially,  an  employee  can  log  on  to 
the  Web-based  system  with  a  user  name 
and  password  and  write  about  a  hurri¬ 
cane,  an  explosion  or  any  other  incident. 
Gale  GFS  designed  and  built  its  system  to 
automatically  send  out  an  e-mail  notifica¬ 
tion  to  everyone  in  the  region.  Through  an 
online  control  panel,  administrators  can 
determine  who  gets  notified  by  region  and 
by  company.  E-mail  alerts  pop  up  on  cell 
phones  and  BlackBerry  pagers,  as  well  as 
on  computer  screens.  Originally,  Messineo 
says,  AT&T  said  it  wanted  to  be  able  to  track 
40  fields  of  information— ranging  from 
precise  location  to  detailed  weather  condi¬ 
tions  and  number  of  employees— for  each 
incident.  That  level  of  complexity,  however, 
would  mean  that  the  system  would  be  slow. 
Messineo  decided  to  reduce  the  number  of 
categories  within  each  type  of  incident  to 
a  maximum  of  eight.  The  result:  Employ¬ 
ees  can  connect  to  the  system  using  a  56K 
modem  with  pages  loading  in  under  three 
seconds.  And  they  can  also  access  the  sys¬ 
tem  from  an  Internet  cafe  or  any  other  Web 
connection. 

According  to  Marlow,  who  is  also  COO 
of  Gale  GFS’s  parent,  the  Gale  Company, 
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4  Not-So-Great  Moments 
in  Crisis  Management 


1.  Covering  up  After  a  burglary  at 
the  headquarters  of  the  Demo¬ 
cratic  National  Committee  in  the 
Watergate  apartment  complex  in 
Washington,  D.C.,  in  1972,  President 
Richard  Nixon,  instead  of  turning  in 
the  members  of  his  staff  who  con¬ 
ceived  and  executed  the  break-in, 
sought  to  protect  them  and  cover 
up  his  own  involvement.  A  "smoking 
gun”  tape  later  revealed  his  role  and 
led  to  his  impeachment  and  subse¬ 
quent  resignation  on  Aug.  9, 1974. 

2.  Bad  intelligence  President  John 
F.  Kennedy  approved  a  secret, 
underfunded  and  ill-conceived 
plan  to  overthrow  the  government 
of  Cuban  President  Fidel  Castro  in 
1961.  The  scheme  assumed  that 
when  U.S. -trained  Cuban  exiles 
landed  in  the  Bay  of  Pigs  in  South¬ 
west  Cuba  they  would  be  supported 
and  joined  by  thousands  of  freedom- 
loving  Cubans.  They  weren’t,  and  the 
invasion  failed  ignominiously. 


3.  Poor  diligence  Information  bro¬ 
ker  ChoicePoint  sold  the  personal 
information  of  145,000  people  to 
inadequately  vetted  bogus  busi¬ 
nesses.  As  a  consequence,  many 
people  later  became  victims  of 
identity  theft.  ChoicePoint  will  pay 
$15  million  to  settle  charges  it  failed 
to  protect  consumers’  information, 
the  Federal  Trade  Commission 
announced  in  January  2006. 

4.  Failed  processes  A  laptop  con¬ 
taining  sensitive  personal  informa¬ 
tion  on  26.5  million  U.S.  veterans 
was  stolen  May  3  from  the  suburban 
Maryland  residence  of  a  Veteran’s 
Administration  data  analyst  who 
wanted  to  work  at  home  but  did 

not  have  remote  access  to  the  VA's 
system.  News  of  the  theft  was  kept 
under  wraps  for  19  days.  A  week 
later,  Michael  H.  McLendon,  VA 
deputy  assistant  secretary  for 
policy,  announced  his  resignation. 

-S.P. 


the  main  challenge  was  to  make  sure  that 
top  executives  could  communicate  with 
employees  from  inside  an  affected  location 
using  multiple  forms  of  communication. 
Just  after  the  9/11  attacks,  for  example, 
telephone  traffic  was  rerouted  and  it  was 
impossible  to  call  the  World  Trade  Center 
area  using  landlines.  In  the  London  bomb¬ 
ings,  the  cellular  network  was  essentially 
shut  down,  but  Internet  and  BlackBerry 
communication  was  still  working. 

“The  goal  is  to  be  prepared  for  any  type 
of  incident,  whether  it’s  a  hurricane  or  tor¬ 
nado,  or  bomb  scare  or  terrorist  attack,” 
says  Marlow.  “Communication  lines  will 
be  affected  depending  on  the  incident,  so 
we  need  to  remain  flexible.” 

Blogging  for  Safety 

When  a  Gale  GFS  employee  first  logs  on 
to  his  computer,  he  sees  a  welcome  screen 
filled  with  company  news  and  announce¬ 
ments,  similar  to  countless  other  corporate 
intranet  sites.  Gale  GFS’s,  however,  has  a 
small  box  in  the  upper  left-hand  corner:  the 
Incident  Reporting  System.  Depending  on 
the  employee’s  location,  that  box  may  con¬ 
tain  information  on  power  outages,  fires  or 
impending  hurricanes.  Like  a  journal  or 
blog,  the  entries  track  developments  and 
conversations  between  employees. 

For  example,  a  property  manager  in 
Houston  logged  on  to  the  IRS  on  Sept.  23, 
2005,  alerting  employees  in  the  area  as 
Hurricane  Rita  approached.  The  subse¬ 
quent  back  and  forth  between  the  property 
manager  and  other  employees  chronicles 
the  weather  reports  and  developing  plans 
to  secure  property  and  account  for  employ¬ 
ees.  Each  time  an  alert  was  placed  on  the 
intranet  site,  employees  were  notified  on 
their  mobile  devices  and  via  e-mail. 

Each  case  or  incident  is  archived  in  the 
system  so  that  others  can  retrieve  them 
from  the  database  in  order  to  study  them. 
“From  reading  and  analyzing  the  informa¬ 
tion,  we  can  gather  best  practices  and  bring 
them  back  to  the  company  as  a  whole,”  says 
Chris  Furlong,  manager  of  education  and 
training  for  Gale  GFS.  Each  session,  how¬ 
ever,  is  available  for  viewing  only  by  the 
employees  working  with  a  specific  client 
so  as  to  maintain  security.  For  example,  if 
an  AT&T  site  experiences  a  power  outage, 


only  Gale  employees  working  on  that 
account  (and,  of  course,  their  client,  AT&T) 
will  be  able  to  see  what’s  going  on.  Furlong 
says  that  new  employees  can  be  trained  on 
the  system  in  10  minutes. 

Before  the  IRS  system  was  developed, 
employees  had  to  stay  on  the  phone  for 
long  stretches  in  order  to  stay  up  to  date, 
says  William  Mellin,  a  Gale  GFS  VR  With 
the  IRS,  people  can  do  their  job  while  they 
check  the  site,  or  get  information  via  hand¬ 
held  devices.  “It’s  more  productive  to  have 
people  working  than  tied  to  a  conference 
call  or  webcast,”  Mellin  adds. 

Messineo  also  says  that  before  the  IRS, 
e-mails  between  employees  created  a  “spi¬ 
der  web”  in  which  messages  crossed  each 

When  the  Going  Gets  Tough 

To  hear  IT  executives  describe  their  own 

WORST-CASE  SCENARIOS,  go  to  www.cio 

.  com/podcasts/leadership/podcast,  html. 

cio.com 


other,  and  made  it  hard  to  make  sure  who 
was  speaking  to  whom  and  when. 

People  Versus  Property 

When  the  London  bombs  went  off,  Marlow 
was  watching  the  early  morning  news  on 
TV  at  his  home  in  New  Jersey.  He  immedi¬ 
ately  picked  up  the  phone.  Within  minutes 
an  incident  report  was  opened  on  the  com¬ 
pany  intranet  and  Marlow  had  accounted 
for  the  safety  of  the  top  four  executives  in 
the  region,  including  McCrae,  who  had 
provided  the  initial  information  to  a  col¬ 
league  in  France.  Then  McCrae  got  in  touch 
by  phone  with  the  manager  of  Gale  GFS’s 
account  with  GlaxoSmithKline,  one  of  its 
largest  clients  in  the  London  area,  who  was 
able  to  log  on  to  the  intranet  and  account 
for  all  employees  at  those  London  facilities 
through  the  IRS. 

When  all  employees  in  the  London  area 
had  been  accounted  for,  Marlow  sent  out  a 
worldwide  e-mail  alert.  ‘As  a  global  company, 
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we  have  people  all  over  the  world,  and  in  the 
event  of  a  major  disaster,  everyone  wants  to 
know  about  people’s  safety,”  Marlow  says. 

Meanwhile,  in  London,  McCrae  had 
convinced  the  owner  of  a  pub  in  Leicester 
Square  to  allow  him  and  two  colleagues  to 
hole  up  there  for  the  afternoon.  With  the 
trains  and  buses  stopped,  traffic  closed, 
and  phone  and  cellular  networks  failing, 
McCrae  spent  the  next  hours  using  his 
BlackBerry,  which  was  drifting  in  and  out 
of  service,  to  send  and  receive  information. 
“That  day  was  filled  with  lots  of  uncer¬ 
tainty,  and  many  companies  struggled  to 
communicate,”  says  McCrae,  who  was  able 
to  feed  information  about  the  attack  and  its 
aftermath  to  colleagues  who  then  updated 
the  IRS.  “I  didn’t  realize  the  power  of  the 
portal  until  then,”  he  says. 

Gale  GFS  isn’t  the  first  or  the  only  com¬ 
pany  to  use  a  combination  of  Internet 
and  mobile  technologies  to  keep  track  of 
employees  and  monitor  crisis  situations. 
Companies  are  increasingly  looking  at 
building  websites  that  can  account  for  the 
whereabouts  and  status  of  employees  (and 
in  the  hotel  industry,  guests),  says  George 
Washington  University’s  Harrald.  Others 
are  looking  into  Web  conferencing  sys¬ 
tems  that  can  provide  emergency  meetings 
around  the  world.  And  some  are  consider¬ 
ing  using  companies  such  as  ijet  and  U.K.- 
based  Control  Risks  Group  to  provide  Web 
conferencing  services  that  can  keep  tabs 
on  far-flung  employees  and  also  provide  a 
dashboard  on  which  executives  can  moni¬ 
tor  employee  whereabouts  and  safety. 

Security  software  vendor  SunGard 
Availability  Services  has  offered  a  “notifi¬ 
cation  service”  for  the  past  three  years  that 
allows  companies  to  keep  in  touch  with 
employees  through  multiple  channels.  Don 
Norbeck,  product  manager  at  SunGard 
Availability  Services,  says  the  service  was 
initially  hard  to  sell,  but  no  more. 

“Technology  is  starting  to  replace  tradi¬ 
tional  call  chains,”  says  Harrald.  Up  until 
9/11,  companies  viewed  crisis  manage¬ 
ment  primarily  as  an  exercise  in  property 
protection.  After  the  attacks  on  the  World 
Trade  Center  and  the  Pentagon,  that  per¬ 
ception  changed.  For  example,  Harrald 
knows  an  employee  of  a  large  bank  who, 
in  the  wake  of  9/11,  had  to  call  the  homes  of 


thousands  of  employees  to  see  if  they  were 
alive.  “Companies  are  trying  to  get  away 
from  that,”  he  says. 

For  organizations  now  looking  to  build 
a  system  to  track  employees  and  share 
information  during  a  crisis,  Gale  GFS 
serves  as  a  model  for  those  who  want 
to  add  a  discussion  board  to  an  already 
existing  intranet  or  portal.  Mellin,  who  is 
a  portfolio  manager  on  the  AT&T  account 


Crisis 

Management 

Tools 

The  most  important  thing 
is  to  have  a  lot  of  them 

In  crisis  management,  redun¬ 
dancy  is  key.  That’s  why  Gale 
Global  Facility  Services  built 
its  Web-based  Incident  Report¬ 
ing  System  (IRS)  so  that  it  can 
contact  employees  on  multiple 
devices.  Chris  Messineo,  Gale 
GFS’s  assistant  VP  for  IT,  says  it’s 
also  a  good  idea  to  collect  employ¬ 
ees’  personal  e-mail  addresses  as 
well  as  their  professional  contacts 
so  they  can  be  reached  if  the  com¬ 
pany  network  crashes.  Here’s  a 
list  of  hardware  and  software  that 
should  play  a  role  in  any  crisis 
management  plan: 

Intranet  site  or  portal  Make  it 
secure  but  easy  to  access  from  a 
Web  browser,  without  the  need  to 
download  software. 

Devices 

Cell  phones 
Laptops 
Pagers 
PDAs 

Telephone  landlines  Keep  good 
records  of  employee  home  phone 
numbers  as  well  as  work  lines. 
E-mail  Keep  records  of  employee 
home  e-mails,  such  as  Yahoo, 
Gmail  or  Hotmail,  in  addition  to 
work  e-mail  addresses.  -S.R 


and  has  been  using  the  system  for  the  past 
three  years,  says  he  would  recommend 
the  simple,  Internet-based  system  because 
the  need  for  training  will  be  very  low.  By 
adding  a  forum  or  chat  module  to  an  exist¬ 
ing  secure  intranet  site  or  portal,  compa¬ 
nies  can  quickly  document  an  employee’s 
safety,  while  sending  important  informa¬ 
tion  to  those  in  the  field.  Messineo  says 
that  such  modules  are  relatively  easy  to 
develop  internally  using  tools  such  as 
Microsoft  .Net  and  are  very  easy  to  main¬ 
tain.  All  data  can  be  backed  up  each  day 
on  a  standard  Dell  server  using  .Net  SQL 
and  on  a  duplicate  server  offsite. 

Preparing  for  “Next  Time” 

While  McCrae  sat  in  the  pub  in  the  after- 
math  of  the  bombings,  he  was  frustrated 
that  he  couldn’t  feed  information  directly  to 
the  IRS.  The  system  was  built  before  every 
executive  carried  a  BlackBerry,  so  it  did 
not  allow  for  direct  feeds  from  the  device 
to  the  site.  Instead,  McCrae  was  sending 
comments  about  his  well-being  and  the 
condition  of  employees  to  colleagues  in  the 
United  States  and  France,  who  then  logged 
the  information  on  to  the  intranet. 

That  will  change.  Messineo  and  his  IT 
team  are  now  working  to  allow  BlackBerry 
and  cell  phone  users  to  send  text  directly 
to  the  IRS.  This  involves  new  coding  that 
will  accept  BlackBerry  messages  as  real¬ 
time  updates.  By  the  third  quarter  of  this 
year,  if  a  hurricane  hits,  a  power  line  goes 
down  or  a  bomb  explodes  anywhere  where 
Gale  does  business,  its  employees  will  be 
able  get  in  touch  with  the  IRS  instantly, 
Messineo  says,  from  any  device. 

Although  McCrae  hopes  there  won’t  be 
a  next  time,  he  believes  his  experience  in 
the  hours  following  the  bombings  taught 
him  some  key  lessons. 

“It’s  important  to  imagine  how  you 
would  respond  to  a  wide  range  of  crises,” 
he  says.  “Then,  you’ve  got  to  have  a  system 
that  will  allow  you  to  communicate  using 
multiple  devices.  If  you  have  flexibility, 
you  have  a  much  better  chance  of  finding 
your  employees  and  making  sure  that  your 
property  and  systems  are  in  place.”  013 


Senior  Writer  Susannah  Patton  can  be  reached 
at  spatton@cio.com. 
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ALL  THAT 


Smart  CIOs  are  experimenting  with  new  Web-based  technologies 
to  integrate  their  customer  data  applications  without  havingto 
rip  out  their  legacy  systems.  But  before  they  plunge  into  the 
implementation,  they  need  to  craft  a  data  management  strategy. 

BY  THOMAS  WAILGUM 


HE  MULTIPLE  MERGERS  THAT  FORMED  INSURER 


UnumProvident  in  the  late  ’90s  aggregated  billions  in  revenue,  assem¬ 


bled  thousands  of  employees— and  created  a  quagmire  of 
customer  data  systems  that  couldn’t  talk  to  each  other.  In 
all,  between  Provident,  Colonial,  Paul  Revere  and  Unum 


Reader  ROI 

::  Data  management  strategies 
for  CRM  success 

::  Why  business  ownership  of 


there  were  34  disconnected  policy  and  claims  back-office 
systems,  all  loaded  with  critical  customer  data.  As  a  result, 
“it  was  very  difficult  to  get  your  hands  around  the  infor- 


customer  data  is  so  critical 

::  The  role  Web  services 
and  service-oriented  archi¬ 
tectures  play  in  new  CRM 
approaches 
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mation,”  understates  Bob  Dolmovich,  UnumProvident’s 
VP  of  business  integration  and  data  architecture.  One 
UnumProvident  customer’s  account,  for  instance,  might 
exist  in  multiple  places  within  the  newly  combined 
company,  leading,  of  course,  to  a  great  deal  of  waste. 

For  the  first  couple  of  years  after  the  mergers,  Unum¬ 
Provident  used  a  homegrown  data-store  solution  as  a 
Band-Aid.  But  by  2004  the  $10  billion  disability  insurer 
felt  compelled  to  embark  on  a  new  master  data  manage¬ 
ment  strategy  aimed  at  uniting  the  company’s  disparate 
pockets  of  customer  data,  including  account  activity,  pre¬ 
miums  and  payments.  Core  to  UnumProvident’s  strategy 
would  be  a  customer  data  integration  (CDI)  hub,  built  on 
service-oriented  architecture  (SOA),  using  a  standard  set 
of  protocols  for  connecting  applications  via  the  Web  (in 
effect,  Web  services).  The  project,  begun  in  early  2005, 
has  already  improved  data  quality,  soothed  the  multiple 

Huge  CRM  implementa¬ 
tions  too  often  left 
companies  with  tools 
and  systems  they  couldn’t 
or  didn’t  want  to  use. 


customer  records  headaches  and  created  the  possibility 
for  a  companywide,  in-depth  customer  analysis.  But  as 
Dolmovich  acknowledges,  there’s  still  a  long  way  to  go. 
Of  those  original  34  systems,  he  has  been  able  to  get  rid 
of  only  four  to  date.  But  he’s  still  optimistic. 

“The  desired  end  state  is  a  CDI  hub  that  has  informa¬ 
tion  about  all  customers  across  all  products,”  he  says. 

THE  QUEST  FOR  THE 
CRM  HOLY  GRAIL 

Despite  the  long,  slow  slog,  Dolmovich  is  hoping  that 
the  new  CDI  approach  will  ultimately  give  his  com¬ 
pany  the  360-degree  view  of  the  customer  that  has  been 
promised  by  vendors  since  the  dawn  of  CRM.  In  the  late 
’90s,  enterprise  software  vendors  like  Oracle,  People- 
Soft  and  Siebel  sold  the  single-customer  view  as  CRM’s 
holy  grail.  But  implementation  flameouts  and  legacy 
integration  nightmares  soured  many  CIOs  on  these 
expensive  enterprisewide  rollouts.  More  recently,  on- 
demand  CRM  has  generated  a  lot  of  buzz,  but  it  too  has 
run  into  scaling  and  integration  problems,  particularly 
at  large  companies.  (See  “The  Truth  About  On-Demand 
CRM,”  www.  cio.  com/011506.) 
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A  CDI  hub  differs  from  a  traditional  CRM  solution  in 
that  a  CDI  hub  allows  a  company  to  automatically  inte¬ 
grate  all  of  its  customer  data  into  one  database,  while 
ensuring  the  quality  and  accuracy  of  the  data  before 
it  is  sent  to  the  hub’s  central  store  for  safekeeping.  A 
standalone  CRM  system  can’t  do  that  because  it  can’t  be 
integrated  with  the  billing,  marketing,  ERP  and  supply 
chain  systems  that  house  customer  data,  and  it  has  no 
way  to  address  inconsistent  data  across  platforms. 

What  is  also  missing  in  many  of  these  earlier  CRM 
implementations,  experts  say,  is  a  management  strategy 
that  identifies  important  customer  data  and  lays  out  a 


disciplined  governance  process  to  ensure  its  quality  and 
its  integration  with  critical  systems.  “Unless  companies 
have  a  broad  strategy  about  how  [to  manage  their  data], 
no  matter  how  good  transactional  systems  are,  they’re 
not  going  to  be  able  to  deliver,”  says  Ronda  Krier,  Ora¬ 
cle’s  senior  director  of  product  strategy. 

An  increasing  number  of  CIOs  are  now  realizing  the 
importance  of  such  a  data  management  strategy  and  are 
experimenting  with  Web  services  technology  to  unite 
legacy  systems  with  new  applications  without  having 
to  rip  and  replace  everything.  Many  of  these  CIOs  are 
building  a  service-oriented  architecture  that  can  inte¬ 
grate  their  divergent  applications  into  a 
CDI  hub  via  the  Web. 

However,  much  like  the  CRM  imple¬ 
mentations  that  preceded  it,  this  new 
approach  is  neither  cheap  nor  fast.  Ray 
Wang,  Forrester  Research’s  principal 
analyst  of  enterprise  applications,  says 
that  average  CDI  installations  cost  nearly 
$5  million  for  licenses  and  implementa¬ 
tion  services.  And  they  can  take  much 
longer  than  expected.  (UnumProvident’s 
CDI  implementation,  still  unfinished, 
has  taken  a  year  so  far.)  But  that’s  still 
cheaper  and  quicker  than  ripping  out  all 
of  a  company’s  old  systems  and  install¬ 
ing  proprietary  enterprise  CRM. 

A  CDI  strategy  is  especially  relevant 
to  mid-market  CIOs  who  may  not  have 
the  budget  to  buy  proprietary  CRM 
solutions  or  the  time  to  invest  in  the 
typically  arduous  CRM  implementation 
process  which,  according  to  Gartner’s 
guideline  for  enterprise  CRM  rollouts, 
can  cost  more  than  $20  million  over 
a  three-year  period.  (Some  CRM  fail¬ 
ures  have  run  up  to  $100  million  in 
overall  costs.  See  “AT&T  Wireless  Self- 
Destructs,”  at  www. cio. com/041504,  for 
one  disastrous  example.) 

“The  beauty  of  [the  CDI  hub 
approach]  is  that  most  organizations 
already  have  most  of  the  pieces  in 
place,”  Wang  says.  “They  just  need  to 
find  a  way  to  pull  it  all  together.” 


m 


Scott  Sullivan,  VP  of  IT,  Pitt  Ohio 
Express:  "If  the  customer's  address  is 
‘the  back  gate  at  K-Mart  plaza,’  that’s 
OK  for  the  driver,  but  not  for  sales  and 
marketing.” 
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THE  PROBLEM’S  NOT  THE 
SOFTWARE;  IT’S  YOU 

In  the  late  ’90s,  CRM  vendors  promised  that  their  soft¬ 
ware  could  give  companies  the  ability  to  leverage  cus¬ 
tomer  data  to  boost  sales.  That  software  cost  millions 
and  took  years  to  install,  and  yet  at  the  end  of  those 
marathons  many  companies  were  left  with  tools  and 
systems  they  couldn’t  or  didn’t  want  to  use.  Integration 
often  was  incomplete,  data  frequently  dirty,  and  all 
too  often  companies  had  no  guidelines  for  who  would 
own  the  data  or  how  it  would  be  input  and  reconciled 
among  systems.  Eventually,  business  and  technology 
executives  became  disillusioned  with  the  enterprise 
approach.  Many  companies,  large  and  small,  turned  to 
on-demand  CRM,  only  to  find  out  it  also  had  problems 
with  costly  customizations  and  real-time  integration 
challenges. 

In  a  2005  Forrester  survey  of  22  Fortune  1000  com¬ 
panies  in  North  America,  Europe  and  Asia,  business 
and  IT  leaders  voiced  widespread  disillusionment  with 
their  CRM  implementations.  Just  14  percent  strongly 
agreed  that  their  CRM  applications  had  improved  end 
user  productivity,  and  only  10  percent  strongly  agreed 
that  they  had  achieved  the  business  results  they  were 
expecting.  CRM  implementations  “always  seemed  to 
overpromise  and  underdeliver,”  says  Dolmovich.  In 
fact,  for  many  years  UnumProvident’s  CIO  forbid  his 
IT  staffers  from  using  the  CRM  word  to  describe  their 
customer  data  management  plans  because  of  the  nega¬ 
tive  connotations  attached  to  the  acronym. 

In  the  Forrester  survey,  executives  acknowledged  they 
were  partly  to  blame  for  CRM’s  bad  reputation.  They  con¬ 
fessed  that  they  had  not  spent  sufficient  time  on  defining 
data  requirements  and  managing  data  quality.  In  another 
survey  by  Cutter  Consortium,  64  percent  of  corporations 
admitted  that  they  lacked  a  formal  strategy  for  using  the 
customer  data  they  had  spent  millions  to  collect. 

“When  the  company  doesn’t  have  rules  and  poli¬ 
cies  [for  data],  the  data  has  been  largely  corrupt,”  says 
Anthony  Lye,  Oracle’s  group  VP  of  CRM  products. 

THE  IMPORTANCE  OF 
BUSINESS  OWNERSHIP 

The  first  step  toward  creating  an  integrated  customer 
data  system  is  to  sit  down  with  key  business  executives 
and  ask  them  what  they  want.  Do  they  want  to  focus  on 
keeping  the  customers  they  have  or  on  attracting  new 
ones?  Are  they  concerned  more  with  decreasing  lead 
generation  costs  or  shortening  the  sales  cycle?  Once 
IT  knows  what  the  business  side  wants  to  achieve,  IT 
can  help  the  business  identify  which  data  sources  are 
important  and  which  are  not. 

Next,  the  business  and  IT  need  to  agree  on  an  infor- 


www.cio.com  |  AUGUST  1,  2006 


51 


Customer  Relationship  Management 


mation  management  policy:  Who  has  access  to  what 
customer  information  and  what  can  they  do  with  it? 
How  will  they  access  that  data?  How  will  they  make 
changes  to  it? 

For  CIOs,  the  key  to  success  is  making  sure  the 
business  takes  ownership  of  customer  data.  At  Ameri- 
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The  Top  10 

Consumer  data  integration  and  master  data 
management  products  in  alphabetical  order 


1.  Customer  Data  Hub 

Oracle 

www.oracle.com 
Synchronizes  information  in  a 
central  location  from  all  systems 
throughout  the  enterprise  to 
provide  a  single  view  of  company 
data. 

2.  identity  Hub 

Initiate  Systems 
www. initiatesystems.com 
Provides  a  system  of  record  for 
each  customer,  household  or 
company  you  do  business  with  by 
identifying  relevant  duplicate  and 
fragmented  records  wherever 
they  may  be  and  linkingthem 
across  data  sources. 

3.  Integration  Server 

SAS-DataFlux 
www.dataflux.com 
Integrates  all  relevant  business 
rules  throughout  the  IT  environ¬ 
ment. 

4.  Master  Data  Management 

I2/Teradata 

www.i2.com 

Creates  a  single  enterprise  the¬ 
saurus  to  ensure  data  is  consis¬ 
tently  described,  used  and  stored 
within  an  organization. 

5. MRM 

Siperian 

www.siperian.com 
Creates  and  delivers  accurate 
and  unified  customers  views  to 
drive  business  actions  across 
multiple  channels. 


6.  NetWeaver  MDM 

SAP 


www.sap.com 

Unifies  integration  technologies 
on  a  single  platform  and  is  prein¬ 
tegrated  with  business  apps. 

7.  One  Data 

Data  Foundations 
www.datafoundations.com 
Centrally  manages  master  data 
across  multiple  subject  areas  to 
improve  accuracy. 


8.  System  9  MDM 

Hyperion  Solutions 
www.hyperion.com 
Synchronizes  master  meta¬ 
data-such  as  business  dimen¬ 
sions,  reporting  structures, 
hierarchies,  attributes  and  busi¬ 
ness  rules— across  distributed 
data  warehouses,  data  marts, 
analytic  applications  and  trans¬ 
action  systems. 


9.  Universal  Customer  Master 

Oracle-Siebel 
www.siebel.com 
Unifies  customer  data  across 
business  units  and  disparate  sys¬ 
tems  to  provide  a  single  source  of 
customer  information. 


10.  WebSphere  Customer 
Center 

IBM 

www.ibm.com 

Provides  real-time,  transactional 
customer  data  integration. 


SOURCE:  CDI  Institute  MarketPulse  Survey, 
May  2006 


sourceBergen  Specialty  Group  (ABSG),  a  $7  billion  phar¬ 
maceutical  supplier,  the  mantra  that  “the  business  owns 
the  customer  data”  has  been  critical  to  the  company’s 
CRM  success,  says  CIO  Dale  Danilewitz.  In  1999,  when 
ABSG  broke  away  from  its  parent  company’s  systems, 
executives  articulated  what  they  wanted:  more  granular, 
reliable  customer  information  accessible  in  one  reposi¬ 
tory  and  accessible  in  real-time.  It  was  Danilewitz’s  job 
to  make  that  happen.  And  although  Danilewitz  initially 
believed  that  an  off-the-shelf  CRM  system  might  do  the 
trick,  he  found  that  his  business  users’  needs  didn’t  align 
with  what  was  on  the  shelf  at  the  time.  So  IT  cobbled 
together  a  mixture  of  applications  and  systems  to  form 
a  homegrown  CRM  system,  essentially  a  conglomerate 
of  custom-built  applications  and  vendor  platforms  and 
databases.  In  the  center,  tying  everything  together,  is  a 
data  warehouse  that  provides  real-time  and  historic  cus¬ 
tomer  data,  and  is  integrated  with  other  data  stored  in 
ABSG’s  e-commerce  applications,  financial  systems  and 
customer  data  applications. 

Today,  Danilewitz  says  ABSG’s  system  satisfies  users 
from  the  sales,  call  center  and  marketing  sides.  And 
because  these  business  units  understand  the  data’s 
worth,  Danilewitz  says,  they  take  pains  to  ensure  that 
they  don’t  add  data  that  will  “adulterate”  their  own  sys¬ 
tems.  “The  business  users  check  the  data,  run  reports 
on  the  data  to  make  sure  it’s  accurate,  and  run  technical 
applications  to  check  quality,”  Danilewitz  says. 

Data  stewards  from  the  business,  as  well  as  gate¬ 
keepers  from  IT,  compose  a  CRM  team  charged  with 
driving  new  data  management  solutions.  But  the  busi¬ 
ness  users  are  always  in  front. 

DESCRIBE,  DEFINE,  GOVERN 

Similarly,  when  Scott  Sullivan  joined  Pitt  Ohio  Express, 
a  $238  million  mid-market  transportation  company,  as 
its  VP  of  IT  and  services,  one  of  the  first  things  he  did 
was  sit  down  with  his  business  users  and  help  them 
define  what  exactly  the  term  customer  meant  to  them. 
Sullivan  helped  the  business  narrow  its  list  of  custom¬ 
ers  from  450,000  to  10,000  active  consumers  of  its 
services.  Sullivan  also  pulled  the  plug  on  an  ERP  sys¬ 
tem  rollout  because  he  thought  it  wasn’t  going  to  satisfy 
the  company’s  needs  and  was  going  to  take  longer  than 
had  been  originally  projected.  (The  project  was  green- 
lighted  before  Sullivan  joined  Pitt  Ohio  in  2001.)  Since 
then,  Sullivan  has  integrated  an  assortment  of  existing 
applications  to  form  a  customer  management  system 
for  the  sales  and  marketing  group  and  the  operations 
department.  (For  more  on  the  integration  challenges 
confronting  mid-market  CIOs,  see  “Stuck  in  the  Middle 
with  SOA,”  Page  54.) 

Sullivan  also  spent  time  ensuring  that  Pitt  Ohio 
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Express’s  customer  data  was  clean.  Dirty 
data  is  hardly  a  new  problem,  but  the  fact 
that  CIOs  are  still  complaining  about  it, 
analysts  are  still  noting  its  prevalence, 
and  vendors  are  still  selling  solutions  to 
address  it  indicates  that  it  hasn’t  gone 
away.  Dirty  data  problems  are  amplified 
by  the  number  of  systems  and  users  that 
touch  customer  data,  especially  if  there  are 
no  established  governance  processes  or 
technology  safeguards.  For  example,  Sul¬ 
livan  points  to  the  disconnect  in  address 
requirements  between  the  sales  and  mar¬ 
keting  department  and  the  operations 
division.  The  sales  and  marketing  group 
needs  exact  addresses,  whereas  drivers 
can  get  by  with  more  inexact  data.  “If  the 
address  is  ‘the  back  gate  at  the  Kmart 
plaza,”’  he  says,  “that’s  OK  for  the  driver, 
but  not  so  great  for  sales  and  marketing.” 

And  if  no  one  takes  ownership  of  mak¬ 
ing  sure  the  data  is  consistent,  “there  can  be  up  to  10 
to  15  different  versions  of  your  customers  [within  your 
company],”  says  Tom  Reilly,  IBM’s  VP  of  master  data 
solutions. 

Once  your  management  team  has  formulated  a 
data  management  strategy— say  it  wants  to  improve 
the  ways  in  which  the  company  targets  and  contacts 
prospects— it’s  time  to  consider  the  technology  options 
available  to  integrate  all  the  customer  data  so  that  sales 
and  marketing  will  be  going  after  the  most  appropri¬ 
ate  customers.  You  can  go  the  enterprise  vendor  route, 
or  have  your  CRM  systems  hosted  by  an  on-demand 
vendor  like  Salesforce.com.  Or  you  can  integrate  exist¬ 
ing  customer-data  systems  by  building  a  service- 
oriented  architecture  or  structure  using  the  Web  to  knit 
together  all  the  customer  information  contained  within 
a  company’s  business  applications.  UnumProvident’s 
Dolmovich  decided  to  go  the  Web  services  route.  He 
chose  IBM’s  WebSphere  Customer  Center  product  to 
pull  together  the  pockets  of  customer  data  on  account 
activity,  payments  and  premiums. 

Dolmovich  says  the  first  data  loaded  into  the  CDI  hub 
in  late  2005  came  from  business  customers  (companies 
or  employers  that  bought  or  sponsored  UnumProvi¬ 
dent’s  disability  products)  and  brokers  (the  indepen¬ 
dent  businesspeople  who  sell  them).  With  the  new 
system,  Dolmovich  says,  “We  are  now  able  to  assimi¬ 
late  and  display  a  broker’s  entire  block  of  business  and 
create  some  statistics  and  a  profile  of  our  relationship 
with  that  broker.”  UnumProvident  is  now  working  to 
create  individual  profiles  of  employer  customers  so 
that  every  time  a  new  customer  account  is  created  or 


accessed— perhaps  to  change  an  address  or  add  new 
customer  information— all  employees  of  the  insurance 
company,  regardless  of  what  system  they  are  using,  will 
see  that  change  at  the  same  time. 


THE  NEW,  NEW  HYPE 

Whenever  a  new  CRM  solution  emerges,  it’s  inevitably 
followed  by  hype,  complexity  and  confusion.  CDI  is  no 
different,  says  Colin  White,  founder  of  consultancy  BI 
Research.  One  challenge  for  companies  embarking  on  a 
master  data  management  strategy  is  getting  all  parties 
to  agree  on  common  definitions  and  labels  for  categoriz¬ 
ing  customer  data.  Starwood  Hotels  &  Resorts  World¬ 
wide  is  currently  in  the  process  of  sunsetting  its  legacy 
mainframe  system  in  order  to  move  to  an  SOA  envi¬ 
ronment.  The  aim,  says  Song  Park,  Starwood’s  director 
of  pricing  and  availability  technologies,  is  to  allow  for 
more  real-time  and  online  reservation  capabilities  and 
transactions  for  its  900  hotels  in  80  countries.  But  a 
major  pain  point  for  the  groups  working  on  the  SOA 
migration  has  been  hammering  out  the  data  labels  and 
definitions  for  the  Web  services  that  will  be  consistent 
across  the  SOA  implementation.  How,  for  example,  one 
group  defines  a  specific  hotel’s  property  identification 
label  can  vary  from  PID,  to 
pID,  to  property  ID,  to  name 
just  a  few  of  the  possibili¬ 
ties,  Park  says.  “How  do  you 
synchronize  [those  labels]? 

Who  owns  that  data?  Who’s 
mapping  those  things?” 

Park  asks. 


All  About  CRM 


Our  CRM  coverage— from  the  issues 
surrounding  on-demand  to  news  about 
new  initiatives  and  technologies— can  be 
found  at  our  CRM  RESEARCH  CENTER  at 
www.cio.com/enterprise/crm. 

cio.com 
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Whenever  a  new  CRM  solution 
emerges,  it’s  inevitably  followed  by 

hype,  complexity  and  confusion 

CDI  is  no  different. 


Park  says  he’s  pushing  for  a  data  dictionary  of  pre- 
established  services  so  that  the  developers  working  on 
the  project  can  employ  a  common  set  of  labels.  “And  the 
developers  need  to  talk  to  each  other,”  Park  adds. 

Starwood  has  multiple  systems  containing  customer 
data,  including  individual  hotel  systems,  Starwood’s 
inventory  and  central  reservation  systems,  a  system  that 
determines  rates  and  another  to  coordinate  all  of  the 
communication,  says  Park.  Since  these  systems  don’t 
communicate  as  well  as  they  should,  hotel  managers 
have  blind  spots.  They  can’t  understand,  for  instance, 
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Stuck  in  the  Middle 
Without  an  SOA 

Can  CIOs  at  midsize  companies  just  say  no 
to  service-oriented  architecture?  It  ain’t  easy. 

According  to  a  2006  Forrester  report  by  VP  Randy  Heffner,  fewer 
midsize  companies  have  enterprisewide  plans  for  service- 
oriented  architecture  (SOA)  than  larger  ones.  The  reason  most 
often  given,  Heffner  says,  is  that  IT  departments  at  midsize 
companies  are  too  small  to  deploy  formal  enterprise  architec¬ 
ture  teams.  But,  paradoxically,  an  earlier  2005  Forrester  survey 
reported  that  44  percent  of  small  and  midsize  companies  said  that 
implementing  an  SOA  was  a  high  or  critical  priority. 

It  seems  that  many  small  and  midsize  enterprises  are  too  small 
to  embark  on  an  SOA  implementation  but  too  large  to  move  the 
enterprise  in  a  common  direction  without  one. 

Scott  Sullivan,  VP  of  IT  and  services  at  mid-market  transporta¬ 
tion  company  Pitt  Ohio  Express,  is,  like  many  of  his  colleagues, 
stuck  in  the  middle.  Sullivan  doesn't  have  a  formal  architecture 
team  and  has  no  immediate  plans  for  moving  to  an  SOA  environ¬ 
ment  "since  we’re  running  software  that  has  been  built  over  the 
years  and  don’t  have  the  need  at  this  time  to  look  at  a  different 
architecture,”  he  says.  But,  he  continues,  “It  is  something  we  will 
consider  as  we  move  forward  depending  on  the  nature  of  the  work 
and  how  the  approach  will  fit  into  our  overall  environment.” 

Which  qualifies  as  a  definite  maybe.  -T.W. 


why  some  customer  interactions  are 
successful  (a  customer  asks  for  a  spe¬ 
cific  room  and  it’s  available)  and  others 
are  not  (the  customer  asks  for  a  room 
and  doesn’t  get  it).  “Today,  we  can  do 
that  [success  and  reject]  analysis  to  a 
degree,”  says  Park.  But  the  business 
users  can’t  see  the  trends  behind  suc¬ 
cess  or  rejection  on  a  broader  scale. 

Starwood  believes  that  after  its  move 
to  an  SOA  environment  all  these  systems  will  be  able 
to  connect  and  automatically  reconcile  all  reservations 
systems  data  with  rate  and  availability  data  to  ensure 
that  accommodations  are  available  at  the  right  price, 
place  and  time.  There’s  so  much  data  flowing  through 
Starwood’s  systems  (upwards  of  a  billion  distinct  pieces 
of  data)  that  ironing  out  the  meta-data  plan  from  the 
get-go  is  paramount.  And  the  pressure  is  on,  especially 
from  the  business  side.  “It’s  not  a  nice-to-have  system; 
it’s  an  absolute  necessity  to  survive,”  Park  says  of  the 
SOA  migration. 

As  is  the  case  with  all  CRM-type  implementations, 
the  move  to  SOA  and  a  customer  data  management 
solution  won’t  come  cheaply.  Forrester’s  Wang  says 
that  an  average  CDI  installation  costs  around  $1  mil¬ 
lion  for  licenses  and  requires  implementation  services 
in  the  $3.5  million  to  $4  million  range.  In  addition,  roll¬ 
ing  out  a  CDI  hub  often  can  take  longer  than  what  the 
vendors  promise,  which  is  what  happened  at  Unum¬ 
Provident.  Dolmovich  notes  that  while  IT  is  adding  cus¬ 
tomer  data  to  the  CDI  hub,  it  still  has  to  maintain  some 
synchronization  of  data  with  the  old  system  until  it  can 
be  replaced.  “It’s  rare  that  the  initial  implementation  of 
a  CDI  hub  actually  replaces  its  predecessor  customer 
files,”  he  says.  “There  are  often  many  reasons  to  sustain 
both,  but  you  do  need  to  begin  a  migration  whereby  the 
CDI  hub  becomes  the  system  of  record,  and  changes 
to  customer  data  are  propagated  as  necessary  back  to 
legacy  files.” 

The  big  enterprise  vendors  have  taken  note  of  the  ris¬ 
ing  interest  in  SOA  and  CDI,  and  Forrester’s  Wang  says 
that  both  Oracle  and  SAP  have  announced  that  their 
next-generation  applications  will  offer  similar  solutions 
that  they  claim  will  play  nicely  with  each  other.  But 
CIOs  will  have  to  wait  for  these  new  products:  SAP’s 
SOA  will  not  debut  until  2007,  Oracle’s  in  2008. 

In  the  meantime,  CIOs  need  to  figure  out  alternative 
ways  to  fix  their  CRM  disconnects.  To  Wang,  the  move 
is  a  simple  yet  crucial  one.  “They  need  to  take  a  step 
back  and  make  a  plan,”  he  says.  BE] 

Senior  Writer  Thomas  Wailgum  can  be  reached  at  twailgum@ 
cio.com. 
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The  CSO  Fveeiitive  Seminar  Series  on 


The  CSO  one-day  Executive  Seminar  on  Document  &  Information 
Assurance  provides  security  focused  executives  with  the  necessary 
education  on  laws  governing  document  assurance,  the  need  for  strict 
policies,  and  ideas  for  implementing  strategies.  This  program  examines 
the  overarching  issues,  the  players,  the  options  available  and  how  you  can 
get  ahead,  and  stay  ahead  of  compliance  issues. 

WHO  SHOULD  ATTEND 

CSOs,  CPOs,  CISOs,  Security  &  Privacy 
Protection  Managers,  Legal  Counsels  and 
others  who  are  charged  with  protecting 
documents  and  information  and  managing 
their  retention. 

Government  and  non-profit  officials  who 
prepare  their  organizations  for  assurance 
issues. 

BENEFITS 

A  360  degree  view  of  document  and  information 
assurance  including: 

•  Building  and  Implementinga  Document 
and  Information  Assurance  Program 

•  The  Laws  Governing  Document  &  Information 
Assurance 


SAN  FRANCISCO,  CALIFORNIA 
Thursday,  September  14, 2006 
7:30am-3:00pm 
Sheraton  Fisherman’s  Wharf 


Space  is  limited,  Register  today  at: 
www.csoonline.com/conferences 
or  for  more  information  call 
800.366.0246 


Platinum  Sponsors 


Gold  Sponsor 


Produced  by: 
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Adobe  where  information  lives® 


The  Resource 
for  Security 
Executives 
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SYMPOSIUM  &  AWARDS  CEREMONY 

DELIVERING  INNOVATION  TO  THE  ENTERPRISE 


CIO  100  Symposium  is  the  premier  place  for  CIOs  to  exchange 
ideas  with  their  peers  across  all  industry  segments  as  noted 
thought  mavens  and  recognized  leaders  in  the  CIO  community 
explore  how  to  develop,  implement  and  capitalize  on 
innovation  most  effectively. 


To  register  or  for  more  information 

call  800.355.0246  or  visit 
www.  c  i  o.  co  m/c  i  olOO/ad 


SESSION  HIGHLIGHTS 


Where’s  the  Next  Wave  of 
IT  Innovation  Coming  From? 

If  innovation  is  the  key  to  the  future, 
where  are  our  next  innovators  going 
to  come  from  and  how  will  that  affect 
businesses  here  and  around  the  world? 

Tapping  Internal  Creativity 

Approaches  to  innovation  can  be  as 
varied  as  the  initiatives  it  produces. 
Foster  creative  thinking  and  your 
employees  will  provide  original  ideas 
and  pioneer  new  products.  Hear  from 
CIO  100  winners  who  discovered  and 
developed  their  internal  innovation 
sources. 
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SOA—Are  You  Ready? 

Service-oriented  architecture  (SOA) 
allows  IT  to  respond  quickly  to  new 
business  needs  to  deliver  applica¬ 
tions  in  real  time,  or  on  demand. 
Discuss  the  latest  developments 
and  implementation  strategies 
with  this  leader  in  the  field. 


Why  Not  “Not  Invented  Here”? 

Innovation  labs,  design  firms  and 
consultants  are  playing  an  increasingly 
large  role  in  the  pursuit  of  innovative 
ideas.  For  many  companies  the  once 
firmly  held  belief  that  innovation  had  to 
be  homegrown  is  falling  by  the  wayside. 
Learn  how  this  company  is  maximizing 
their  outsourcing  partnerships,  real¬ 
izing  a  new  way  of  doing  business  and 
generating  innovation  from  outside  the 
company. 

Oh,  And  One  More  Thing . 

What  is  it?  What  is  the  one  thing  more 
you  need  to  know,  learn  and  take  away 
from  this  experience?  Here  from  an 
innovation  guru  on  just  what  that  one 
more  thing  might  be. 

WHO  SHOULD  ATTEND 

Leaders  in  the  CIO  community, 
who  want  to  explore  how  to 
develop,  implement  and  capitalize 
on  innovation. 

In  other  words,  you. 
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Communicating  IT’s  Value: 

Tools  and  Tactics 


of  communication,”  says  Scott  Kress- 
ner,  VP  and  CIO  of  Rush  Enterprises,  a 
Peterbilt  truck  dealer.  “You’ve  got  to  pick 
the  right  one  for  the  right  situation.” 

Here  are  some  tips  from  Council 
members  on  the  most  effective  tools 
for  educating  the  business  about  IT. 

Formalize  the 
forum.  IT  Steer¬ 
ing  Committee,  Execu¬ 
tive  Board  of  Customers, 

Information  Resources 
Users  Group— whatever 
you  call  it,  CIO  Executive 
Council  members  say 
that  a  formal  IT  advisory 
body  is  one  of  the  most  effective  means 
for  educating  business  peers  about 
IT.  Of  course,  CIOs  use  these  advisory 
boards  for  feedback  on  (or,  in  some 
cases,  approval  of)  planned  projects.  But 
advisory  boards  also  offer  CIOs  a  forum 
for  educating  business  peers  about  IT’s 


capabilities  and  strategic  value.  For 
example,  the  VP  of  finance  may  not  be 
up  on  how  a  new  sales-force  automa¬ 
tion  initiative  is  making  the  sales  team 
more  efficient,  or  the  VP  of  HR  may  not 
understand  why  his  website  upgrade 
may  need  to  take  a  backseat  to  a  critical 
supply  chain  management 
initiative.  The  advisory 
board  is  where  this  commu¬ 
nication  can  take  place. 

For  Mark  Zielazinski, 
former  CIO  at  El  Camino 
Hospital,  an  Information 
Systems  Steering  Commit¬ 
tee  has  given  him  a  forum 
to  educate  executives  about 
the  importance  of  steady  spending  on 
IT  infrastructure.  As  a  result,  he’s  had 
consistent  IT  capital  spending  levels 
for  the  past  three  years,  a  welcome 
change  from  the  peaks  and  valleys  of 
the  past.  “We  made  them  understand 
what  sustained  funding  is,  and  the 

Continued  on  Page  60 


SCOTT  KRESSNER 


ost  CIOs  know  that  educat¬ 
ing  the  business  about  IT  is 
a  key  part  of  their  job,  but 
many  struggle  to  find  the  right  tools 
and  tactics.  Should  they  publish  a 
monthly  e-mail  newsletter  or  will  that 
just  clutter  already-bulging  inboxes? 
Should  they  build  support  for  IT  proj¬ 
ects  one  VP  at  a  time  or  should  they 
draw  business  peers  into  a  formal 
cross-company  dialogue? 

When  we  asked  members  of  the  CIO 
Executive  Council  for  their  advice,  it 
quickly  became  clear  that  there’s  no 
one-size-fits-all  strategy.  Sometimes, 
CIOs  say,  it’s  best  to  simply  walk  into 
the  VP’s  office  for  a  quick  chat.  Other 
times,  a  professionally  produced  report 
or  presentation  can  bring  the  IT  mes¬ 
sage  to  life  and  make  it  easier  to  deliver 
across  the  company. 

“I’ve  been  in  this  business  going  on 
nine  years,  and  there’s  no  way  you’re 
going  to  be  successful  with  one  form 


GUIDO 

SACCHI 


[TOOLBOX] 

Develop  IT  Ambassadors 

CompuCredit  CIO  Guido  Sacchi  has  developed  an  internal  IT  recognition  program  around  a  simple 
theme:  “Be  known.”  He  urges  IT  staff  to  “be  known”  by  the  business  for  the  personal  contribution 
they  make  to  the  company.  Sacchi's  goal  was  to  get  his  staff  out  of  their  cubicles,  into  the  field  and 
close  to  their  internal  customers,  so  the  IT  staff  would  be  seen  as  personally  responsible  for  deliver¬ 
ing  IT  value.  “I  want  everybody  in  IT  to  be  an  ambassador  for  IT,”  Sacchi  says. 

Sacchi  also  uses  the  Be  Known  program  to  help  boost  the  morale  of  IT  staff.  He  has  printed  Be 
Known  note  cards  that  his  senior  managers  use  to  recognize  staff  for  demonstrating  value,  adding 
handwritten  notes  to  reinforce  the  message.  For  example,  “John,  thank  you  for  demonstrating  lead¬ 
ership  in  that  meeting:  I  thought  you  carried  the  day.”  -Sari  Kalin 
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It  takes  years  to  come  back  from  a  headline  like  this. 


Network  Breach  Exposes 
on  2,700,000  Customers 


m? 


Join  us  for  two  days  this  September 
to  ensure  your  company  stays  off 
the  front  page. 


WmMi 


Introducing  The  Security  Standard 


The  premier  enterprise  security  summit  designed  to  address 
the  converging  business  and  technology  challenges  facing  CIOs, 
CSOs  and  IT  Leaders. 

Brought  to  you  by  IDG,  the  publisher  of  C/O,  Computerworld, 
CSO,  InfoWorld  and  Network  World,  The  Security  Standard  is 
the  first  and  only  forum  to  bring  together  the  visionaries  and  the 
views  to  help  you  leverage  security  as  a  competitive  advantage. 
You’ll  listen  to  key  stakeholders  from  within  and  outside  the 
organization  as  they  debate  the  most  pressing  cultural, 
political,  business  and  technical  challenges  facing  security 
professionals  today. 


Identify  Effective  Risk  Management  Strategies 
Choose  the  Right  Technology  Strategies 
Understand  How  Security  Influences  the  Business 
Explore  Perceptions  Beyond  the  Organization 
Evaluate  the  New  Threat  Landscape 


Register  before  August  25th,  and  you’ll  save  $200  off 
the  regular  rate  of  $1,295. 

Visit  www.thesecuritystandard.net/CIOA3  or  call 
1-800-643-4668. 


Here’s  just  a  small  sample  of  the 
speakers  you’ll  meet: 


Keynote  Speaker 

John  Chambers,  President  and  CEO 
Cisco  Systems 

Welcome  Address 

Patrick  J.  McGovern,  Founder  and  Chairman 
International  Data  Group 


Edward  G.  Amoroso,  CSO,  AT&T 

Scott  Blake,  CISO,  Liberty  Mutual  Insurance  Group 

Tom  Bowers,  Manager,  Information  Security 
Operations,  Fortune  100  Pharmaceutical  Company 

Beth  Cannon,  Chief  Security  Officer, 

Thomas  Weisel  Partners 

Lloyd  Gauntlett  Hession,  Chief  Security  Officer, 

BT  Radianz,  Inc. 

Michael  Levin,  Deputy  Director  -  Law  Enforcement 
&  Intelligence,  U.S.  Secret  Service  Detailee,  National 
Cyber  Security  Division 
Department  of  Homeland  Security 

Bhavesh  Patel,  Director,  Information  Security 
Genzyme  Corporation 

John  N.  Stewart,  Vice  President  &  Chief  Security 
Officer,  Corporate  Security  Programs  Organization, 
Cisco  Systems 

...  and  many  more  top  security  specialists  and 
business  experts. 
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importance  of  keeping  it  smooth,”  he  says. 

Several  CIOs  also  use  advisory  board 
meetings  to  educate  their  business  peers 
about  emerging  technology  trends. 

For  example,  at  Northrop  Grumman 
Newport  News,  Leni  Kaufman  recently 
briefed  her  IT  steering  committee  about 
the  benefits  of  identity  management, 
even  though  she  had  no  immediate  plans 
to  propose  a  project.  “We  try  to  describe 
things  even  if  they  won’t  start  for  six  to 
nine  months,”  says  Kaufman,  VP  and 
CIO  of  Northrop  Grumman  Newport 
News.  “By  doing  this,  we  increase  the 
IT-savvy  of  the  business,”  she  says. 

At  Marriott,  members  of  the  Informa¬ 
tion  Resources  Users  Group  sometimes 
have  questions  about  technology  buzz. 
“They  bring  up  things  like,  We  hear  about 
voice  over  IP.  What  is  it?’”  says  Diane 
Davidson,  Marriott’s  VP  of  information 
resources  business  planning.  “This  is  a 
good  forum  in  which  to  explain  it.” 


Publish,  but  be  willing  to 
perish.  IT-specific  publications 
can  play  a  pivotal  role  in  CIOs’  business 
education  efforts,  and  it’s  not  uncommon 
for  CIOs  to  produce  annual  reports  and 
quarterly  or  monthly  newsletters.  But  pub¬ 
lications  have  to  be  tailored  to  the 
company  culture. 

At  Smurfit-Stone  Container,  for 
example,  the  IT  annual  report  is 
called  the  “Customer  Report,”  to 
emphasize  IT’s  accountability, 
says  CIO  Jim  Burdiss.  Initially, 

Burdiss  had  50  hard  copies  of 
the  report  professionally  printed; 
the  report  was  also  posted  online. 

But  the  sophisticated  presentation  sparked 
criticism  from  the  business  side  regarding 
the  time  and  the  money  invested  in  it.  Now 
the  report  is  posted  online  only. 

“You’ve  got  to  be  careful  that  what 
you’re  doing  isn’t  too  slick,”  Burdiss 
says.  “There’s  a  point  of  over-marketing 


and  you’ve  got  to  be  sensitive  to  that.” 

At  El  Camino  Hospital,  Zielazinski 
pulled  the  plug  on  his  monthly  e-mailed 
IT  newsletter  after  a  six-month  run. 
People  were  not  opening  it.  The  problem 
was  information  overload.  The  2,100- 

employee  hospital  has  90 
departments,  and  many 
have  their  own  newslet¬ 
ters.  So  now  Zielazinski’s 
group  contributes  to  other 
department  newsletters. 

Make  it  easy  to 
be  a  missionary. 

While  business  education 
is  the  CIO’s  job,  the  right  communication 
tools  will  help  other  frontline  IT  leaders 
deliver  the  same  message,  thereby  broad¬ 
ening  its  reach.  Marriott  has  developed  a 
snazzy  seven-minute  PowerPoint  presen¬ 
tation  called  “Technology  Now”  that  high¬ 
lights  the  company’s  IT  direction  and  the 
ways  it  provides  value  to  the  business. 

Created  on  a  $15,000  budget,  the 
PowerPoint  has  a  voice-over  and  plays 
by  itself.  It  began  its  life  when  Executive 
VP  and  CIO  Carl  Wilson  presented  it  to 
Marriott’s  board  of  directors  in  November 
2005;  subsequently,  senior  IT  leaders 
have  shown  it  to  their  business  partners, 
and  IT  leaders  in  the  field  have  offered  it 
to  owners  and  franchisees. 

Marriott’s  information  resources  com¬ 
munications  department  has  a  formal  plan 
and  a  tracking  document  to  ensure  the 
presentation  is  shown  at  all  levels  of  the 
company.  Marriott  also  has  translated  the 
presentation  into  Spanish,  Chinese  and  Ger¬ 
man.  “This  is  a  tool  for  people  to  use  to  cre¬ 
ate  a  broader  communication  opportunity 
with  their  peers,”  Davidson  says.  “People 
can  then  tailor  the  message  afterward  to  the 
particular  group  they’re  talking  to.”  QQ 


Sari  Kalin  is  a  freelance  writer.  Send  comments 
about  this  story  to  letters@cio.com. 


How  to  Reach  Out  to 
Technology-Shy  Users 

At  global  nonprofit  Save  the  Children,  one  of  the  biggest  challenges 
facing  CTO  Edward  Granger-Happ  is  getting  people  on  the  front  lines  to 
use  the  new  technologies  his  IT  department  provides.  To  illustrate  that 
challenge,  Granger-Happ  notes  that  “e-mail  was  just  adopted  as  the 
primary  means  of  communication  within  the  last  five  years." 

Granger-Happ  takes  every  opportunity  to  educate  the  field  staff  about 
the  benefits  of  technology.  At  a  recent  training  session,  for  example,  he 
created  a  scavenger  hunt  on  the  corporate  intranet  both  to  familiarize  the 
field  officers  with  online  content  and  to  get  them  accustomed  to  accessing 
it.  Granger-Happ  also  highlights  technologies  that  have  crystal-clear  ben¬ 
efit  for  the  staff,  such  as  voice  over  IP.  While  it’s  true  that  VoIP  saves  money, 
the  biggest  benefit  from  a  user  perspective  is  that  a  staff  member  can 
reach  anyone  in  the  organization,  around  the  globe,  simply  by  dialing 
a  four-digit  extension.  Granger  hopes  that  “when  people  adopt  one  tech¬ 
nology,  they’ll  adopt  more  technologies.  If  they  see  value  in  IT  in  their  daily 
job,  they’re  going  to  want  to  use  more.  -S.K. 


The  CIO  Executive  Council  is  a  professional  organization  for  CIOs  founded  by  CIO's  publisher.  To  learn  more  about  the  Council, 
visit  www.cioexecutivecouncil.com  or  contact  Vice  President  of  Development  Dexter  Siglin  at  dsiglin@cio.com  or  508  935-4493. 
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call  for  entries 


We’re  looking  for  the 
next  generation  of 
standout  IT  leaders. 


Nominees  should 
currently  be  top  IT 
lieutenants— but  not 
yet  full-fledged  CIOs 


Watch  for  the  application  to  appear 
online  soon. 
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How  to  Talk  to  Americans 


We’re  pleased  to  present  this  exclusive  excerpt  from  How  to  Talk  to 
Americans,  currently  topping  Indian  best-seller  lists.  The  Chennai 
Telegram-Gazette  calls  it  “a  penetrating  journey  into  the  fragile  psyches 
of  our  American  friends.”  The  Mumbai  Sunday  Book  Review  advises, 
“Have  it  handy  during  your  next  conference  call  with  colleagues  in 
San  Jose  or  St.  Louis.” 


When  Americans  tell  you  how  much  they 
love  chai  lattes,  they  are  referring  to  a 
creamy  beverage  they  believe  to  be  of 
Indian  origin.  Just  say  that  you  do  too. 

IT 

No  one  really  expects  you  to  read  all 
267  PowerPoint  slides  sent  as  an  e-mail 
attachment.  But  everyone  will  be  incred¬ 
ibly  impressed  if  you  glance  at  slide  243 
and  ask  whether  the  x-axis  represents 
thousands  or  millions. 


It  is  helpful  to  know  who  the  actress 
Jennifer  Aniston  is  currently  dating. 
Check  www.usmagazine.com  twice  daily 
for  changes. 

TT 

Americans  often  may  seem  agitated. 

This  is  due  to  their  constant  consump¬ 
tion  of  expensive  caffeinated  beverages. 

If  they  seem  on  the  verge  of  a  breakdown, 
you  could  suggest,  "You  may  want  to  try 
shifting  from  Venti  to  Tall." 


The  term  ASAP  (“as  soon  as  possible”) 
means  "work  on  this  quickly  and  shoddily 
until  I  forget  that  I  asked  you  to  do  it." 

The  American  brain  is  not  capable  of 
grasping  the  rules  of  cricket.  Do  not  try  to 
explain  them. 

'S' 

Conference  calls  exist  to  give  American 
executives  a  chance  to  do  something 
other  than  listen  to  talk  radio  during  their 
commutes  to  and  from  work.  Much  of  the 
hostility  expressed  during  these  calls  is 
due  to  “road  rage,”  not  to  anything  you’ve 
done  or  said. 

S 

When  the  current  American  president's 
name  is  mentioned,  a  safe  response  is: 
“He’s  very  different  from  his  father,  isn’t 
he?”  (In  2009,  it  may  be  necessary  to 
switch  to:  “She’s  very  different  from  her 
husband,  isn’t  she?”) 

'ET 

If  you  have  forgotten  the  names  of  an 
American  executive’s  children,  you  can 
refer  to  them  as  “the  kids.”  As  in,  "How  are 
the  kids?" 

'S' 

The  purpose  of  monthly  status  meetings 
is  to  allow  participants  to  complain  that 
because  they’ve  attended  so  many  other 
meetings  since  the  last  monthly  status 
meeting  they  have  not  been  able  to  make 
any  progress  on  any  of  their  projects. 

Do  not  mention  all  the  things  you  have 
accomplished  since  the  last  status  meet¬ 
ing.  That  will  antagonize  them.  Instead, 
ask  for  a  deadline  extension. 

O' 

When  Americans  say,  “I  look  forward  to 
your  feedback,”  they  mean,  “Just  tell  me 
it’s  OK  or  you’ll  foul  up  my  timetable." 

O 

Residents  of  certain  U.S.  regions  can 
discuss  Nascar  racing  but  not  Woody 
Allen  movies.  In  other  regions,  the 
opposite  will  be  true.  See  color-coded 
map  in  Appendix  D. 
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Master  complexity. 

Whatever  is  in  your  data  center,  Symantec  puts  you  in  control.  That’s  the  promise  behind  the  Symantec 
Data  Center  Foundation.  Thanks  to  the  Veritas  cross-platform  heritage,  this  integrated  software  infrastructure 
solution  supports  virtually  every  major  operating  system,  database,  application  and  storage  hardware  asset 
in  your  data  center.  It’s  reduced  complexity.  It’s  comprehensive  protection.  It’s  the  smartest  move  you  can 
make.  Tour  the  Symantec  Data  Center  Foundation  at  www.symantec.com/datacenter 
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